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Abstract 



Cryptographic primitives such as oblivious transfer and bit commitment are 
impossible to realize if unconditional security is required against adversaries 
who are unbounded in running time and memory size. Therefore, it is a great 
challenge to come up with restrictions on the adversary's capabilities such that 
on one hand interesting cryptographic primitives become possible, but on the 
other hand the model is still realistic and as close to practice as possible. 

The bounded- quantum- storage model is a prime example of such a crypto- 
graphic model. In this thesis, we initiate the study of cryptographic primitives 
with unconditional security under the sole assumption that the adversary's 
quantum memory is of bounded size. 

Oblivious transfer and bit commitment can be implemented in this model 
using protocols where honest parties need no quantum memory, whereas an 
adversarial player needs to store at least a large fraction of the total number of 
transmitted qubits in order to break the protocol. This is in sharp contrast to 
the classical bounded-memory model, where we can only tolerate adversaries 
with memory of size polynomially larger than the honest players' memory size. 

On the practical side, our protocols are efficient, non-interactive and can be 
adapted to cope with various kinds of noise in the transmission. In fact, they 
can be implemented using today's technology. 

On the theoretical side, new entropic uncertainty relations involving min- 
entropy are established and used to prove the security of protocols in the 
bounded-quantum-storage model according to new strong security definitions. 
The uncertainty relations lower bound the min-entropy of the encoding used in 
most quantum-cryptographic protocols and therefore contribute to the under- 
standing of the quantum effects which these protocols are based upon. The most 
direct way to make use of these lower bounds is by assuming a quantum-memory 
bound on the adversary. For instance, in the realistic setting of Quantum Key 
Distribution (QKD) against quantum-memory-bounded eavesdroppers, the un- 
certainty relation allows to prove the security of QKD protocols while toler- 
ating considerably higher error rates compared to the standard model with 
unbounded adversaries. 

In addition, though not directly related to the bounded-quantum-storage 
model, a classical result about unconditionally secure l-out-of-2 Oblivious Trans- 
fer (1-2 OT) is obtained. It is pointed out that the standard security require- 
ment for 1-2 OT of bits, namely that the receiver only learns one of the bits 
sent, holds if and only if the receiver has no information on the XOR of the 
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two bits. This result generalizes to 1-2 OT of strings, in which case the security 
can be characterized in terms of binary linear functions. More precisely, it is 
shown that the receiver learns only one of the two strings sent, if and only 
if he has no information on the result of applying any binary linear function 
which non-trivially depends on both inputs to the two strings. This result not 
only gives new insight into the nature of 1-2 OT, but it in particular provides 
a powerful tool for analyzing 1-2 OT protocols. With this characterization at 
hand, the reducibility of 1-2 OT of strings to a wide range of weaker primitives 
follows by a very simple argument. 
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Chapter 1 

Introduction 



In the quest for interesting cryptographic models, bounding the quantum mem- 
ory of adversarial players is a great assumption. 

1.1 Cryptographic Models and Basic Primitives 

It is a fascinating art to come up with protocols 1 that achieve a cryptographic 
task like encryption, authentication, identification, voting, secure function eval- 
uation to name just a famous few. To define a notion of security for such proto- 
cols, one needs to specify a cryptographic model, i.e. an environment in which 
the protocol is run. The model states for example the number of honest and 
dishonest players, the allowed running time and amount of memory available 
to honest and dishonest players, how dishonest players are allowed to deviate 
from the protocol, the use of external resources like (quantum) communication 
channels or other already established cryptographic functionalities etc. 

While coming up with more and more protocols for different models, cryp- 
tographers realized that some basic primitives (i.e. precisely defined crypto- 
graphic tasks) are useful as "benchmarks" of how powerful a particular cryp- 
tographic model is. An example is the two-party primitive Oblivious Transfer 
(OT). It comes in different flavors, but all of these variants are equivalent in the 
sense that anyone of them can be implemented using (possibly several instances 
of) an other. The one-out- of-two variant 1-2 OT was originally introduced by 
Wiesner around 1970 (but only published much later in [Wie83| ) in the very first 
paper about quantum cryptography, and later rediscovered by Even, Goldreich, 
and Lempel [EGL82] . It lets a sender Alice transmit two bits to a receiver Bob 
who can choose which of them to receive. A secure implementation of 1-2 OT 
does not allow a dishonest sender to learn which of the two bits was received 
and it does not allow a dishonest receiver to learn any information about the 
second bit. It was a surprising insight when Kilian showed that this simple 
primitive is complete for two-party cryptography [Kil88]. In other words, a 
model in which 1-2 OT can be securely implemented allows to implement any 
cryptographic functionality between two players 2 . Another variant we are con- 

1 A protocol consists of clear-cut instructions for the participating players. 

2 If the model can be reasonably extended to more players, this usually allows to implement 
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cerned with in this thesis was introduced by Rabin [RabST] and is hence called 
Rabin Oblivious Transfer (Rabin OT). It is basically a "secure erasure chan- 
nel" : the sender Alice sends a bit which with probability one half is absorbed 
and with probability one half finds its way to the receiver Bob. The security 
requirements are the following: whatever a dishonest Alice does, she cannot 
find out whether the bit was received or not; and whatever a dishonest receiver 
does, he does not get any information about the bit with probability one half. 

Yet another basic two-party primitive of interest is Bit Commitment (BC) 
which allows a player to commit himself to a choice of a bit b by communicat- 
ing with a verifier. The verifier should not learn b (we say the commitment is 
hiding), yet the committer can later choose to reveal b in a convincing way, i.e. 
only the value fixed at commitment time will be accepted by the verifier (we 
say the commitment is binding). Bit Commitment is a fundamental building 
block of virtually every more complicated cryptographic protocol. Implement- 
ing secure BC with a secure 1-2 OT at hand is not difficult 3 . On the other 
hand, there are cryptographic models allowing to securely implement BC, but 
not 1-2 OT. Moran and Naor gave an example of such a model by assuming the 
physical device of a tamper-proof seal [MN05] . 

It is not hard to see that the two security requirements for BC are in a sense 
contradictory, so perfectly secure bit commitment cannot be implemented "from 
scratch", that is if only error-free communication is available and there is no 
limitation assumed on the computing power and memory of the players. The 
informal reason for this is that the hiding property implies that when is com- 
mitted to, exactly the same information exchange could have happened when 
committing to 1. Hence, even if was actually committed to, the committer 
could always compute a complete view of the protocol consistent with having 
committed to 1, and pretend that this view was what he had in mind origi- 
nally. By the reduction of BC to 1-2 OT follows that also 1-2 OT and many 
other cryptographic functionalities cannot be perfectly secure when built from 
scratch. 

One might hope that allowing the protocol to make use of quantum com- 
munication would make a difference. Here, information is stored in qubits, i.e., 
in the state of two-level quantum mechanical systems, such as the polarization 
state of a single photon. Quantum information behaves in a way that is fun- 
damentally different from classical information, enabling, for instance, uncon- 
ditionally secure key exchange between two honest players (so-called Quantum 
Key Distribution). However, in the case of two mutually distrusting parties, 
we are not so fortunate: even with quantum communication, unconditionally 
secure BC and 1-2 OT remain impossible. This is the infamous impossibility 
result by Mayers and by Lo and Chau |May97 , ILC97| . 



For this reason, cryptographers have tried hard to exhibit more restricted 
models where these impossibility results do not apply. The high art in this pro- 



secure multi-party protocols as well. 

3 To commit to a bit b, the committer sends random bits of parity b via (several instances 
of) 1-2 OT and the verifier picks randomly one of the bits. To open, the committer sends all 
the random bits he was using, the verifier checks whether these are consistent with what he 
received. 
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cess is to find assumptions that are as realistic as possible - thus only minimally 
restricting the model, but still strong enough to allow for implementing inter- 
esting functionalities. There are at least three kinds of possible assumptions, 
namely 

• bounding the computing power of players, 

• using the noise in the communication channel, 

• exploiting some physical limitation of the adversary, e.g., if the size of the 
available memory is bounded. 

The first scenario is the basis of many well known solutions based on plau- 
sible but unproven complexity assumptions, such as hardness of factoring or 
discrete logarithms. A term often used for such schemes is "computational se- 
curity" , meaning that it is not impossible for an adversary to behave dishonestly, 
but it is computationally infeasible for him to do so. Security proofs are usually 
done by reduction in the sense that breaking the security of the protocol would 
imply solving a hard problem like factoring the product of two large prime num- 
bers. The second scenario has been used to construct both BC and OT proto- 
cols in various models for the noise by Crepeau, Kilian, Damgard, Salvail, Fehr, 
Morozov, Wolf, and Wullschleger [CK881 IDKSM IDFMS041 ICMW041 IWul07j . 

The third scenario is the focus of this thesis. In contrast to the first scenario, 
we deal with "unconditional security" where (depending on the task a protocol 
aims to achieve) an adversary has no way whatsoever to gain illegal information. 
Proofs are not done by reduction, but we can prove in information-theoretic 
terms that except with negligible probability, the adversary does not learn any 
information that is meant to remain secret. 

1.2 Classical Bounded- Storage Model 

In the classical bounded-storage model, we assume the players to use classical 
error- free communication and to be computationally unbounded, but on the 
other hand restrict the size of their memory. In the usual setting, there is 
a large random source R (often called the randomizer) which all players can 
access, but which is too large (or transmitted too quickly) to store as a whole. 
One can think of R as a deep-space radio source or a satellite broadcasting 
random bits at a very high rate. 

When Maurer introduced the classical bounded-storage model in [Mau90] . 
the goal was secure message transmission. He showed that two honest parties 
Alice and Bob sharing an initial key can expand that key unless the eavesdrop- 
per Eve can store more than a large fraction of the randomizer. The basic idea 
of the technique allowing Alice and Bob to get an advantage over Eve is that 
their initial secret key indexes some positions in the randomizer about which 
Eve has some uncertainty if she cannot store the whole randomizer. Therefore, 
the bits at these positions can be combined to yield more secure key bits and 
so to expand the initial key. 
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A line of subsequent work by Maurer, Cachin, Aumann, Ding, Rabin, 
Dziembowski, Lu, and Vadhan |Mau92l ICM971 IADR021 IDM041 iLuM IVad04j 
improved this original protocol in terms of efficiency and security. Aumann, 
Ding and Rabin [ADR02J noticed that protocols in this model enjoy the prop- 
erty of "everlasting security" in the sense that the newly generated key re- 
mains secure even when the initial key is later revealed and Eve is no longer 
memory-bounded, under the sole condition that the original randomizer cannot 
be accessed any more. Ding [Din05j showed how to do error correction in the 
bounded-storage model and therefore how to cope with the situation when the 
honest parties do not have exactly the same view on the randomizer. 

Cachin, Crepeau and March illustrated the power of the bounded-storage 
model by exhibiting in [CCM98] a protocol for 1-2 OT. Ding improved on this 
[DinOla] and later showed a constant-round protocol for oblivious transfer in 
joint work with Harnik, Rosen and Shaltiel [DHRS04J. 

All these protocols are shown secure as long as the adversary's memory size 
is at most quadratic in the memory size of the honest players. Considering 
the ease and low cost of storing massive amounts of classical data nowadays, 
it is questionable how practical such an assumption on the memory size of the 
players is. It would be clearly more satisfactory to have a larger than quadratic 
separation between the memory size of honest players and that of the adversary. 
However, this was shown to be impossible by Dziembowski and Maurer [DM04]. 

1.3 Contributions 

In this section, we give an overview of the contributions of this thesis. The 
results about classical oblivious transfer described in Chapter[3]and summarized 
in Section [1.3.21 are joint work with Damgard, Fehr and Salvail [DFSS06J. All 
other results are based on two papers co-authored with Damgard, Fehr, Salvail 
and Renner: |DFSS05j and |DFR+07| . A journal version of |DFSS05| is to 
appear in a special issue of the SIAM Journal of Computing [DFSS08]. 

1.3.1 Bounded-Quantum-Storage Model 

In this thesis, we study for the first time protocols where quantum communi- 
cation is used and we place a bound on the adversary's quantum memory size. 
There are two reasons why this may be a good idea: first, if we do not bound the 
classical memory size, we avoid the impossibility result of [DM04J. Second, the 
adversary's typical goal is to obtain a certain piece of classical information that 
we want to keep hidden from him. However, if he cannot store all the quantum 
information that is sent, he must convert some of it to classical information by 
measuring. This may irreversibly destroy information, and we may be able to 
arrange it in such a way that the adversary cannot afford to lose information 
this way, while honest players can. 

It turns out that this can be achieved indeed: we present protocols for 
both BC and OT in which n qubits are transmitted, where honest players 
need no quantum memory, but where the adversary must store at least a large 
fraction (typically n/2 or n/4) of the n transmitted qubits to break the protocol. 
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We emphasize that no bound is assumed on the adversary's computing power, 
nor on his classical memory. This is clearly much more satisfactory than the 
classical case, not only from a theoretical point of view, but also in practice: 
while sending qubits and measuring them immediately as they arrive is well 
within reach of current technology, storing even a single qubit for more than a 
fraction of a second is a formidable technological challenge. 

Furthermore, we show that our protocols also work in a non-ideal setting 
where we allow the quantum source to be imperfect and the quantum com- 
munication to be noisy. We emphasize that what makes OT and BC possible 
in our model is not so much the memory bound per se, but rather the loss of 
information on the part of the adversary. Indeed, our results also hold if the ad- 
versary's memory device holds an arbitrary number of qubits, but is imperfect 
in certain ways. 

All these factors make the assumption of bounded quantum memory a very 
attractive cryptographic model. On one hand, as for the classical bounded- 
storage model, it is simple to work with and yields beautiful theoretical results. 
On the other hand, it is much more reasonable to assume the difficulty of storing 
quantum information compared to storing classical one and hence, we are very 
close to the physical reality and get schemes that can actually be implemented! 

1.3.2 Characterization of Security of Classical 1-2 OT 

While the task of formally defining unconditional security of classical protocols 
for Rabin OT and BC is well understood, capturing the security of 1-2 OT in 
information-theoretic terms is considerably more delicate, as was pointed out 
by Crepeau, Savvides, Schaffner and Wullschleger [CSSW06J. For 1-2 OT of 
bits, it is clear that the security for a honest sender against a cheating receiver 
guarantees that the receiver does not learn any information about the XOR of 
the two bits. Somewhat surprisingly, the converse is true as well, not having 
any information about the XOR of the two bits sent implies that we can point 
at one bit which the dishonest receiver does not know (given the other). 

This idea can be generalized to 1-2 OT of strings where the ignorance of the 
XOR becomes ignorance of the outcome of all Non-Degenerate Linear binary 
Functions (NDLFs) applied to the two strings sent. Such a characterization 
of sender-security in terms of NDLF composes well with strongly two-universal 
hashing and hereby yields a powerful technique to improve the analyses of the 
standard reductions from 1-2 OT to weaker variants of OT. 

As a historical side note, the original motivation for this classical charac- 
terization was the hope that it translates to the quantum setting and thereby 
yields a security proof of the 1-2 OT scheme in the bounded-quantum-storage 
model. We will point out why this approach does not work. 

1.3.3 Quantum Security Definitions and Protocols 

When the players are allowed to use quantum communication, the output of 
a dishonest player is a quantum state even when the protocol implements a 
classical primitive. Therefore, security definitions for Rabin OT, 1-2 OT and 
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BC have to be phrased in quantum terms. As an easy-to-use composability 
framework has not yet been established for quantum protocols 4 , various ad- 
hoc security requirements are commonly used. The definitions in this thesis 
are the strongest so far proposed, and as they are based on the (classical) 
considerations in [CSSW06] . we believe that they are best suited to provide 
sequential composability. 

Most of the presented protocols in the bounded-quantum-storage model can 
be cast in a non-interactive form, i.e. only one party sends information when 
doing OT, commitment or opening. We show the following. 

OT in the Bounded- Quantum-Storage Model: There exist non-interactive 
protocols for Rabin OT and l-out-of-2 Oblivious Transfer (1-2 OT) of '(-bit mes- 
sages, secure in the bounded- quantum- storage model against adversaries with 
quantum-memory size at most n/2 — £ for Rabin OT and n/4 — 21 for 1-2 OT. 
Here, n is the number of qubits transmitted in the protocol and I can be a con- 
stant fraction of n. Honest players need no quantum memory at all. 

For the case of bit commitment, the standard definition of the binding 
property used in the quantum setting was introduced by Dumais, Mayers and 
Salvail [DMSOOj . For b 6 {0, 1}, let pb denote the probability that a dishonest 
committer successfully opens the commitment to value b. The binding condition 
then requires that the sum of po and p\ does essentially not exceed 1. More 
formally, po+pi < l+negl(n) where negl(n) stands for a term which is negligible 
in n such as 2~ cn (for a constant c > 0) which is exponentially small in n. This 
is to capture that a quantum committer can always commit to the values 
and 1 in superposition. We call this notion weakly binding in the following. A 
shortcoming of this notion is that committing bit by bit is not guaranteed to 
yield a secure string commitment — the argument that one is tempted to use 
requires independence of the p&'s between the different executions, which in 
general does not hold. 

Instead, we propose the following strong binding condition: After the com- 
mitment phase, there exists a binary random variable D G {0, 1} such that a 
dishonest committer cannot open the commitment to value D except with neg- 
ligible probability. The point is that the distribution of D is not under control 
of the dishonest committer. We will point out that using this definition, we 
can easily derive the security of a string commitment from the security of the 
individual bits. 

BC in the Bounded- Quantum- Storage Model: There exists a protocol 
for bit commitment which is non-interactive. It is perfectly hiding and weakly 
binding in the bounded- quantum- storage model against dishonest committers 
with quantum-memory size at most n/2. It is strongly binding against memory 
sizes of at most n/4. Here, n is the number of qubits transmitted in the protocol. 
Honest players need no quantum memory at all. 

Furthermore, the commitment protocol has the interesting property that 
the only message is sent to the committer, i.e., it is possible to commit while 

4 Some rather complicated frameworks are known. They have been put forward by Ben-Or 
and Mayers [BM04] and Unruh |Unr02] , 
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only receiving information. Such a scheme clearly does not exist without a 
bound on the committer's memory, even under computational assumptions and 
using quantum communication: a corrupt committer could always store (pos- 
sibly quantumly) all the information sent, until opening time, and only then 
follow the honest committer's algorithm to figure out what should be sent to 
convincingly open a or a 1. 

Note that in the classical bounded-storage model, it has been shown by 
Moran, Shaltiel and Ta-Shma [MST04J how to do time-stamping that is non- 
interactive in our sense: a player can time-stamp a document while only receiv- 
ing information. However, no reasonable protocol for BC or for time-stamping 
a single bit exists in this model. It is straightforward to see that any such pro- 
tocol can be broken by an adversary with classical memory of size twice that 
of an honest player, while our protocol requires no quantum memory for the 
honest players and remains secure against any adversary unable to store more 
than half the size of the quantum transmission. 

We also note that it has been shown earlier by Salvail |Sal98| that BC is 
possible using quantum communication, assuming a different type of physical 
limitation, namely a bound on the size of coherent measurement that can be 
implemented. This limitation is incomparable to ours: it does not limit the 
total size of the memory, instead it limits the number of bits that can be si- 
multaneously operated on to produce a classical result. Our adversary has a 
limit on the total quantum memory size, but can measure all of it coherently. 
The protocol from [Sal98| is interactive, and requires a bound on the maximal 
measurement size that is sub-linear in n. 

1.3.4 Quantum Uncertainty Relations 

A problem often encountered in quantum cryptography is the following: through 
some interaction between the players, a quantum state is generated and then 
measured by one of the players (we call her Alice in the following). Assuming 
Alice is honest, we want to know how unpredictable her measurement outcome 
is to the adversary. Once a lower bound on the adversary's uncertainty about 
Alice's measurement outcome is established, it is usually easy to prove the de- 
sired security property of the protocol. Many existing constructions in quantum 
cryptography have been proven secure following this paradigm. 

Typically, Alice does not make her measurement in a fixed basis, but chooses 
at random from a set of different bases. These bases are usually chosen to be 
pairwise mutually unbiased, meaning that if the quantum state is such that the 
measurement outcome in one basis is fixed, then this implies that the uncer- 
tainty about the outcome of the measurement in the other basis is maximal. In 
this way, one hopes to keep the adversary's uncertainty high, even if the state 
is (partially) under the adversary's control. 

An inequality that lower bounds the adversary's uncertainty in such a sce- 
nario is called an uncertainty relation. There exist uncertainty relations for 
different measures of uncertainty but cryptographic applications typically re- 
quire the adversary's min-entropy to be bounded from below. Such uncertainty 
relations are the key ingredient in the security proofs of our protocols in the 
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bounded-quantum-storage model. 

In this thesis, we introduce new general and tight high-order entropic un- 
certainty relations. Since the relations are expressed in terms of lower bounds 
on the min-entropy or upper-bounds on large probabilities respectively, they 
are applicable to a large class of natural protocols in quantum cryptography. 

The first uncertainty relation is concerned with the situation where a n-qubit 
state p is measured in one out of two mutually unbiased bases, say either in the 
computational basis (the +-basis) or in the diagonal basis (the x -basis). 

First Uncertainty Relation: Let p be an arbitrary state of n qubits, and let 
Q + () and Q x (•) be the respective probability distributions over {0, l} n of the 
outcome when p is measured in the +-basis respectively the x -basis. Then, for 
any two sets L + C {0, l} n and L x C {0, l} n it holds that 



Another uncertainty relation is derived for situations where an n-qubit state 
p has each of its qubits measured in a random and independent basis sampled 
uniformly from a fixed set B of bases. B does not necessarily have to be mutu- 
ally unbiased, but we assume a lower bound h — the so-called average entropic 
uncertainty bound — on the average Shannon entropy of the distribution P$, ob- 
tained by measuring an arbitrary one-qubit state in basis i? G B, meaning that 



Second Uncertainty Relation (informal): Let B be a set of bases with an 
average entropic uncertainty bound h as above. Let Pq denote the probability 
distribution defined by measuring an arbitrary n-qubit state p in basis 9 E B n . 
For a uniform choice O Er B n , it holds except with negligible probability (over 
and over Pq ) that 



Observe that (jl.ip cannot be improved significantly since the min-entropy 
of a distribution is at most equal to the Shannon entropy. Our uncertainty 
relation is therefore asymptotically tight when the bound h is tight. 

Any lower bound on the Shannon entropy associated to a set of measure- 
ments B can be used in (|1.1|) . In the special case where the set of bases is 
B = {+, x} (i.e. the two BB84 bases named after Bennett and Brassard who 
used them in the first quantum- key-distribution protocol [BB84J), h is known 
precisely using Maassen and Uffink's entropic relation |MU88j . see (I4.2p . We 
get h = 5 and (jl.ip results in 'H. 00 (Pq | G = 9) > \ . Uncertainty relations for 
the BB84 coding scheme are useful, since this coding is widely used in quan- 
tum cryptography. Its resilience to imperfect quantum channels, sources, and 
detectors is an important advantage in practice. 

A major difference between the first and second uncertainty relation is that 
while both relations can be used to bound the min-entropy conditioned on an 
event, this event happens in the latter case with probability essentially 1 (on 
average) whereas the corresponding event from the first relation (defined in 
Corollary 14.170 only happens with probability about 1/2. 



Q+(L+) + Q x (L x ) < l + 2- n /V|£ + H£ x 




(1.1) 
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1.3.5 QKD against Quantum-Memory-Bounded Eavesdropper 

We illustrate the versatility of our second uncertainty relation by applying it to 
Quantum-Key-Distribution (QKD) settings. QKD is the art of distributing a 
secret key between two distant parties, Alice and Bob, using only a completely 
insecure quantum channel and authentic classical communication. QKD pro- 
tocols typically provide unconditional security, i.e., even an adversary with un- 
limited resources cannot get any information about the key. A major difficulty 
when implementing QKD schemes is that they require a low-noise quantum 
channel. The tolerated noise level depends on the actual protocol and on the 
desired security of the key. Because the quality of the channel typically de- 
creases with its length, the maximum tolerated noise level is an important 
parameter limiting the maximum distance between Alice and Bob. 

We consider a model in which the adversary has a limited amount of quan- 
tum memory to store the information she intercepts during the protocol execu- 
tion. In this model, we show that the maximum tolerated noise level is larger 
than in the standard scenario where the adversary has unlimited resources. For 
one-way QKD protocols which are protocols where error-correction is performed 
non-interactively (i.e., a single classical message is sent from one party to the 
other), we show the following result: 

QKD Against Quantum- Memory- Bounded Eavesdroppers: Let B be a 

set of orthonormal bases of the two-dimensional Hilbert space Ti.2 with average 
entropic uncertainty bound h. Then, a one-way QKD-protocol produces a se- 
cure key against eavesdroppers whose quantum-memory size is sublinear in the 
length of the raw key at a positive rate, as long as the bit-flip probability p of 
the quantum channel fulfills h(p) < h where h(-) denotes the binary Shannon- 
entropy function. 

Although this result does not allow us to improve (compared to unbounded 
adversaries) the maximum error-rate for the BB84 protocol (the 4-state proto- 
col), the 6-state (using three mutually unbiased bases) protocol can be shown 
secure against adversaries with memory bound sublinear in the secret-key length 
as long as the bit-flip error-rate is less than 17%. This improves over the maxi- 
mal error-rate of 13% for this protocol against unbounded adversaries. We also 
show that the generalization of the 6-state protocol to more bases (not neces- 
sarily mutually unbiased) can be shown secure for a maximal error-rate up to 
20% provided the number of bases is large enough. Note that the best known 
one-way protocol based on qubits is proven secure against general attacks for 
an error-rate of only up to roughly 14.1%, and the theoretical maximum is 
16.3% [RGK05| . 

The quantum-memory-bounded eavesdropper model studied here is not 
comparable to other restrictions on adversaries considered in the literature 
(e.g. individual attacks, where the eavesdropper is assumed to apply indepen- 
dent measurements to each qubit sent over the quantum channel as considered 



by Fuchs, Gisin, Griffiths, Niu, Peres, and Liitkenhaus [FGG+971 ILutOO] ). In 
fact, these assumptions are generally artificial and their purpose is to simplify 
security proofs rather than to relax the conditions on the quality of the com- 
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munication channel from which secure key can be generated. We believe that 
the quantum-memory-bounded eavesdropper model is more realistic. 

1.4 Outline of the Thesis 

In Chapter [21 we introduce notation and present some basic concepts from 
probability and quantum information theory like quantum states and various 
kinds of their entropies. We prepare the stage by reproducing and slightly 
extending the results about privacy amplification via two- universal hashing from 
Renner's PhD thesis [Ren05]. 

Chapter is the only (almost) exclusively classical chapter. It introduces 
the different flavors of oblivious transfer and gives a characterization of the 
security for the sender of 1-2 OT in terms of non-degenerate linear functions. 
It is cast in a stand-alone manner and the rest of the thesis can be understood 
without reading this chapter. 

In Chapter EJ the basis for the security proofs of the following chapters is 
laid by establishing the quantum min-entropic uncertainty relations. The fol- 
lowing Chapters [5] and [6] contain the quantum definitions, protocols and secu- 
rity proofs for Rabin OT and 1-2 OT, respectively. Chapter [7] treats quantum 
bit commitment. Two flavors of the "binding property" are defined and the 
techniques from the two previous chapters are used to prove security in the 
bounded-quantum-storage model. 

Chapter [8] is devoted to another application of the (second) uncertainty 
relation, quantum key distribution against a quantum-memory-bounded eaves- 
dropper. The last Chapter [9] addresses some practical issues in greater detail 
and concludes. 

A short summary of the notation, the bibliography and an index can be 
found at the end of the thesis. 



1.5 Related Work 

The classical bounded-storage model is described in Section 11.21 Besides work 
pointed out in the overview of the contributions in Section 11.31 above, it is 
worth mentioning that several protocols aiming at achieving quantum obliv- 
ious transfer have been proposed. After Wiesner's original conjugate-coding 
protocol [Wie83], Bennett, Brassard, Crepeau, and Skubiszewska proposed an 
interactive protocol for 1-2 OT [BBCS91J, whose security was subsequently an- 
alyzed by Crepeau |Cre94j . Mayers, Salvail [MS94J |May95l , and Yao [Yao95j . 



The protocol from [BBCS91J is interactive and can be easily broken by a dis- 
honest receiver with unbounded quantum memory. To ensure that the re- 
ceiver actually performs a measurement, it was suggested to use (quantum) 
bit-commitment schemes such as [BCJL93 - ] which were believed to be secure 
against such adversaries at this point in time. After the impossibility proofs of 
quantum bit-commitment by Lo and Chau |LC97j . and Mayers |May97|, and 
of oblivious transfer by Lo [Lo97j . it became clear that assumptions are neces- 
sary in order to securely realize these primitives. Compared to these previous 
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attempts, the protocols in this thesis are simpler, non-interactive, and provably 
secure according to stronger security definitions. 

Work related to classical OT-reductions is referred to in the introductory 
sections to Chapter in Sections 13.11 and 13.4. 11 Previous work about quantum 
uncertainty relations is described in Section 14.21 



Chapter 2 

Preliminaries 



In this chapter, we introduce notation and basic concepts used throughout 
the rest of the thesis. In addition, most of the following chapters have an 
individual preliminary section introducing concepts that are exclusively used in 
those specific chapters. 

This chapter does not give a thorough introduction to probability theory, 
information theory and quantum information processing, but we rather assume 
the reader familiar with the basic concepts from the standard literature like 
[CT914 iNCOOj. Instead, we give a specific overview of the concepts which are 
required for understanding this thesis. 

2.1 Notation and Basic Tools 

For a sequence of variables x±, . . . , x n , we use the abbreviation x l := xi, . . . , Xi 
for the collection of variables up to index i, and we define x° := to be the 
empty string. 

For a set / = {h,i2, ■ ■ ■ , ie} Q {1, • • • , n} and a n-bit string x £ {0, 1}™, we 
define It is sometimes convenient that all substrings of this 

form have the same length, irrespective of the actual size i of the index set /. 
Therefore, we define the n-bit string x\°j := x^Xi 2 ■ ■ ■ Xi e • • • to be the original 
substring padded with n — £ zeros. 

Most logarithms in this thesis are with respect to base 2 and denoted by 
log(-). However, when needed, ln(-) denotes the natural logarithm to base e. 

We write B <5n (x) for the ball of all n-bit strings at Hamming distance at 
most 5n from x. Note that the number of elements in B Sn (x) is the same for all 
x, we denote it by B Sn := |B 5n (a;)|. It is well known that B Sn < 2 nh( - 5 \ where 

Hp) := —{p • i°gp + (i — p) • i°g (i - p)) 

is the binary entropy function. 

We denote by negl(n) any function of n smaller than the inverse of any 
polynomial provided n is sufficiently large. 

If we want to choose two symbols + or x according to the bit b £ {0, 1}, 
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we write [+, x]&. The Kronecker delta function is denned as 



1 if i = j, 
if i + j. 



The indicator random variable lg equals 1, if the event £ occurs and else. 

Definition 2.1 (convex/concave function) A function f : R — > R is con- 
vex on the interval [a,b], if for any two points x,y £ [a,b] and < s < 1, it 
holds that 

f(sx+(l- S )y)<sf(x) + (l-s)f(y). 
Analogously, the function is concave on [a,b], if 

f( sx +(l-s)y)>sf(x) + (l-s)f(y). 



Lemma 2.2 (Jensen's inequality) Let f : R — > R &e a convex function on 
R anc? Zei xi, . . . , x n G R. Xei pi, . . . ,p n 6 [0, 1] 6e suc/i i/iai = 1- Then, 

(n \ n 

^PiXi < ^Pif{Xi) . 
1=1 / i=l 

For xi = X2 = . . . = x n , equality holds. 



Lemma 2.3 (Cauchy-Schwarz inquality) For real numbers x\, . . . ,x n and 

yi, . . . , y n , the following holds 



2 / n \ / n 



5>-w < E*? ■ Erf 



r 2 

k«=1 / \j=l / \i=l 



Proof: Note that Y^i=i( x i " z + 2/«) 2 is a quadratic polynomial a • z 2 + oz + c 
without real roots unless all Xi/yi are equal. Therefore, its discriminant b 2 — Aac 
is non-positive: 



n \ " In 



4 5>-H - 4 E-n- E^ 2 h°- 



= 1 / \i=l / \i=l / 

□ 



2.2 Probability Theory 

For a discrete probability space (Q,P), we write P[£] for the probability of 
the event £cfl, and we write Px for the distribution of the random variable 
X : 0, ^ X taking values in the finite set X. As is common practice, we do not 
refer to the probability space (0, P) but leave it implicitly defined by the joint 
probabilities of all considered events and random variables. For two random 
variables X and Y with joint distribution Pxy over X x y, the conditional 
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probability distribution of X given Y is denned as Px\y( x \u) := ^T^j) f° r a ^ 
x S X and y £ y with Py(y) > 0. For a probability distribution Q over we 
abbreviate the (overall) probability of a set L Q X with Q(L) := EzeL Q(* c )' 

Let P and Q be two probability distributions over the same finite domain 
X. The variational distance 1 S(P,Q) between P and Q is defined as 



2 

Note that this definition makes sense also for non-normalized distributions, and 
indeed we define and use 5(P, Q) for arbitrary positive- valued functions P and 
Q with common domain. In case X is of the form X = U x V, we can expand 

5{p,q) to 5(p,g) = E u a(P(u, •),£(«,•)) = E v s{ p M>QM)- We write 

P « e Q to denote that P and Q are e-close, i.e., that 5(P, Q) < e. 

By UNIF we denote a uniformly distributed binary random variable indepen- 
dent of anything else, such that Ptjnif(^) = \ for both b G {0, 1}, and UNIF 
stands for £ independent copies of unif. 

For a random variable R over the reals M, its expected value is denoted by 
E[R]. 

Lemma 2.4 (Markov's inequality) For a non-negative real random variable 
X and e > 0, we have 

E[X]~ 



Pr 



X > 



< e. 



Proof: For the indicator function If which equals 1 if the event £ occurs and 
else, we observe that 

E[X] 



e - l {x>Ef}< X - 



Taking the expected values on both sides, using linearity of the expectation and 
rearranging the terms yields the claim. □ 



Lemma 2.5 (ChernofF's inequality) Let X\, . . . , X n be identically and in- 
dependently distributed random variables with Bernoulli distribution, i.e. Xj = 
1 with probability p and X% = with probability 1 — p. Then S '■= ElLi X% has 
binomial distribution with parameters (n,p) and it holds that 

P[\S-pn\ > en] < 2e" 2e2n . 

See [MOO] or |MP95j for a proof. 



also called statistical or Kolmogorov distance 



2.3. Quantum Information Theory 



15 



2.3 Quantum Information Theory 

In this section, we give a very brief introduction to the quantum notions we use 
in this thesis, we refer to [NCOCH IRen05] for further explanations. 

For any positive integer d G N, TLd stands for the complex Hilbert space of 
dimension d. Sometimes, we omit the dimension and simply write 7i. The state 
of a quantum-mechanical system in H is described by a density operator p. A 
density operator p is normalized with respect to the trace norm (tr(p) = 1), 
Hermitian (p* = p) and has non- negative eigenvalues. V{TL) denotes the set of 
all density operators acting onTC. 1 denotes the identity matrix (describing the 
fully mixed state) renormalized by the appropriate dimension. 

A quantum state p £ V(H) is called pure if it is of the form p = \<p){<p\ for 
a (normalized) vector \tp) £ TL. 

A positive operator-valued measurement (POVM) is a family M = {E x } x ^x 
of non-negative operators such that ^xeA' ^ x ec l ua l s the identity matrix. The 
probability distribution Px obtained when applying the POVM M to the quan- 
tum state p is defined as Px(x) '■= tv(E x p). 

The general evolution (like unitary transforms, measurements, applying 
noise etc.) of a quantum system in state p can be described by a quantum 
operation £(p), which is a completely positive and trace-preserving map, i.e. 
£ is linear and maps non-negative normalized operators p £ V{T~i) into non- 
negative normalized operators £{p) £ V(7i). 

The notion of (variational) distance of two random variables can be natu- 
rally extended to the trace distance between two density operators p,a £ V(Ti) 
defined by S(p, er) := |tr(|p — a\), where we define \A\ := y/~A*A to be the 
positive square-root of A. As in the classical case, we write p ss £ a to denote 
that p and a are e-close, i.e. <5(/3, a) < e. The trace distance has an operational 
meaning in that the value ^ + | <!>(/?, <r) is the average success probability when 
distinguishing p from a via a measurement. In fact, the relation to the classical 
variational distance becomes evident in 8(p, a) = maxjif 5( K M{p), M(cr)) where 
the maximization is over all POVMs M and M{p) refers to the probability dis- 
tribution obtained when measuring p using M. Ruskai [Rus94j showed that the 
trace distance does not increase under (trace-preserving) quantum operations, 
formally 5[p,a) < 5 [£ (p) , £ (a)) for any quantum operation £. 

The pair {|0), |1)} denotes the computational or rectilinear or "+" basis for 
the 2-dimensional Hilbert space H.2- The diagonal or "x" basis is defined as 
{|0) x , |l) x } where |0) x = (|0> + \l))/y/2 and |l) x = (|0) - |l))/\/2. The circu- 
lar or "O" basis consists of vectors (|0) +z|l))/ v / 2 and (|0) - i\l))/y/2. Mea- 
suring a qubit in the + -basis (resp. x -basis) means applying the measurement 
described by projectors |0)(0| and |1)(1| (resp. projectors |0) x (0| x and |l) x (l| x ). 
When the context requires it, we write |0) + and |1) + instead of |0) respectively 
|1). For a ra-bit string x £ {0, l} n , \x) + stands for the state (££)™ =1 \xi) + £ 7^2 n 
and analogous for |x) x . 

As mentioned above, the behavior of a quantum state in a register E is fully 
described by its density matrix pe- We often consider cases where a quantum 
state may depend on some classical random variable X, in that it is described by 
the density matrix p x E if and only if X = x. For an observer who has only access 
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to the register E but not to X, the behavior of the state is determined by the 
density matrix ^ x Px(x)p E . The joint state, consisting of the classical X and 
the guantum register E and therefore called cq-state, is described by the density 
matrix Px(x)\x)(x\ (g> p x E . In order to have more compact expressions, we 
use the following notation. We write 

Pxe = / \P X (x)\x){x\ ® p% and p E = tr x(pxe) = ^JPy(^)pj • 

X X 

More general, for any event £, we write 
Pxe\s = p x\e(x)\x)(x\ <g> p% and p E \ £ = tr x (pxE\e) = Y P x\s{x)p x E ■ 

X X 

We also write px = P x (x)\x)(x\ for the quantum representation of the 
classical random variable X (and similarly for px\e)- This notation extends 
naturally to quantum states that depend on several classical random variables 
(i.e. to ccq-states, cccq-states etc.). Given a cq-state pxE as above, by saying 
that there exists a random variable Y such that pxye satisfies some condition, 
we mean that pxE can be understood as pxE = ^y(pxye) for a ccq-state 
Pxye that satisfies the required condition. 

Obviously, pxE = Px® Pe holds if and only if the quantum part is indepen- 
dent of X (in that p x E = p E for any x), where the latter in particular implies that 
no information on X can be learned by observing only p E . Furthermore, if pxE 
and px <8> Pe are e-close in terms of their trace distance S(p, a) = \ tr(|p — a\), 
then the real system pxE "behaves" as the ideal system px ® Pe except with 
probability e (as explained by Renner and Konig in [RK05]) in that for any 
evolution of the system no observer can distinguish the real from the ideal one 
with advantage greater than e. 



2.4 Entropies 

2.4.1 Classical Renyi Entropy 

Definition 2.6 Let P be a probability distribution over the finite set X and 
a £ [0, oo] . The a-order sum of the probability distribution P is defined as 
fta(P) '■= Ylxex P{ x ) a - 

In the limits a — > oo and a — > 0, we set 7roo(P) : = max l6 ^ P(x) and 
vr (P) := \{x 6 X : P(x) > 0}. 

Definition 2.7 (Renyi entropy [Ren61j) Let P be a probability distribution 
over the finite set X and a E [0, oo] . The Renyi entropy of order a is defined 
as 

H Q (P) := — ^- log MP)) = - log (( J2 P(xT)^) ■ 
a xex 
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In the limit a — ► oo, we obtain the min-entropy Hoo(P) = — log ( max Ig ^ P( x )) 
and for a — > 0, we obtain max-entropy Ho(P) = log |{x G A : P (a;) > 0}|. An- 
other important special case is the case a = 2, also known as collision probability 
TT^iP) = SxeA" P{ x ) 2 an d collision entropy H 2 (P) = — log ( P(x) 2 ) . 

For the limit a — ► 1, we can use Jensen's inequality (Lemma 12. 2p with 
p x := P(x) to obtain 

In the limit a — > 1, all P(x) a ~ l go to 1 and therefore, equality holds and we 
obtain the standard definition of Shannon entropy H(P) := — P{ x ) logP(x) 
as in [S ha48| . 

For a random variable X with probability distribution Px, we will most 
often slightly abuse notation and use the common shortcut H a (X) instead of 
H a (Px)- For a fixed random variable X over the finite set X, a t— > H Q (X) is a 
decreasing function on [0, oo]: 

log \X\ > H (X) > H(X) > H 2 (X) > fl^pf) , 

with equality if and only if X is uniform over a subset of X. Furthermore, we 
have that for a > 1, TT a (X) = Y^ x Px(x) a > max^ Px(x) a and therefore, 

11 a 

H. a (X) = - logvr Q (X) < logmaxPx(x) a = z logmaxP x (x) , 

I — a I — a x l — a % 

which implies the following relation between Renyi entropies of order a > 1: 

^±K a (X) <Hoe(X). (2.1) 



Conditional Renyi entropy 

The Renyi entropy H a (X\Y = y) of X given the event Y = y is naturally defined 
as H a (X\Y = y) = log ( Px\Y=y( x ) a ) ■ We can define the conditional 
a-order sum of X given Y and conditional Renyi entropy by 

7r Q (X|y):=maxVP x , y=2/ (x) Q and H a (X|Y) := — !— log(vr Q (X|y)) . 
j/ 1 w 1 — a 

In the limits we have, ir oc (X\Y) = max X) y Px\Y=y{. x ), Ko(X\Y) = max. y |{x € 
X : P x \Y=y( x ) > 0}|- For the conditional min-, collision- and max-entropy, we 
get 

H oc (X|y) := minH oc (X|y = y) = min- logiW^x), 

H 2 (X|F) := minH 2 (X|y = y) = min -log ^ P x]Y=2/ (x) 2 j , 

H (X|y) := maxH (X|y = y) = max log |{x 6 A" : P x \Y=v( x ) > 0}|. 
y 2/ 
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In the limit a j 1, we get Hm(.X'|Y') = min 2/ H(X|y = y) and for a f 1, we 
get Hti(X|y) = max ?/ H(X|y = y) which might be different. However, the 
standard definition of conditional Shannon entropy is neither of those, but "in 
between" : 

n(x\Y) := ^(y) H(^|y = y) = J2 p *y^ v) 1o § p x\y= y (y) ■ 

y x,y 

We note that in the literature, HQ,(X|y) is sometimes defined as average 
over Y, ^yPyiv) H Q (X|Y = y), like for Shannon entropy. However, we define 
the more natural following notion. For 1 < a < oo, we define the average 
conditional Renyi entropy H a (X|Y) as 

R a (x\Y) -.= - log ( p y(y) ( E p x\Y(x\y) a )^) , 



and as Hoo(X|Y) = — log ( ^2 y Py(y) m&x x Px\y( x \y)) f° r a = 00 • This notion 
is useful in particular because it has the property that if the average conditional 
Renyi entropy is large, then the conditional Renyi entropy is large with high 
probability: 

Lemma 2.8 Let a > 1 (allowing a = oo) and t > 0. Then with probability at 
least 1 - 2~ K (over the choice ofy) H a (X\Y = y) > B a (X\Y) - k. 

Proof: By definition of average conditional Renyi entropy, we have 



2 -H Q (X|Y) = E 



MX\Y = y)) 



i 

a—l 



By the Markov's inequality (Lemma I2.4[) . we get that 



Pr 

y 



7r a (X\Y = y)—i >2 



-n a (x\Y)+K 



< 2~ R 



and therefore, the probability (over y) that H Q (X|Y = y) < H Q (X|Y) — k is at 
most 2~\ □ 

As long as a > 1, the minimization (or average) over y is the same for all 
orders of Renyi entropy hence, Equation (|2.ip translates to (average) conditional 
Renyi entropy: 

Lemma 2.9 For any 1 < a < oo, we have 

H 2 (X\Y) > H 00 (X|y) > ?—±K a (X\Y) 

a 

R 2 (X\Y) > R^XIY) > ^Z±R a (X\Y). 

a 
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Concavity 

Lemma 2.10 For < a < 1, Renyi Entropy is a concave entropic functional, 
i.e., for < s < 1 and distributions P, Q, we have 

R a (sP + (1 - s)Q) > sR a (P) + (1-8) R a {Q) . 

For the case of Shannon entropy, note that the function f(p) := — plogp has 
derivatives f'(p) = —1 — logp and f"(p) = —1/p and f"(p) < for < p < 1. 
Therefore, /(p) is concave and we have 

H ( S P + (1 - a )Q) = ^ f( 8 P(x) + (1 - s)Q(z)) > ^ s/(P(s)) + (1 - s)/(Q(x)) 

X X 

= s £ /(P(x)) + (1 - s) E / = s H ( P ) + H ( ( 3)- 

x x 

Higher-order Renyi entropy is not necessarily concave as the following ex- 
ample illustrates. Consider the distributions P(x) = 5 X; o and Q(x) = 2~ n 
over {0, l} n with H 2 (P) = and H 2 (Q) = n. For the equal mixture of 
these distributions holds H 2 ((P + Q)/2) = - log(l/4) + 0(2" n ) 2 < n/2 = 
(H 2 (P)+H 2 (Q))/2forn>5. 

Fano's Inequality 

Lemma 2.11 (Fano's Inequality) Lei X «-> 1" <-> X' fee a Markov chain 2 . 
Then, for the error probability p e := P[X 7^ X'], it ZioZds 

R(X\Y)<h(p e )+ Pe -log(\X\-l). 

Proof: We denote by E '■= the indicator random variable of the event 

{X 7^ X'} that the guess was not successful. By the chain rule for Shannon 
entropy, we can write 

R(XE\Y) = R(X\Y) + R(E\XY) = R(E\Y) + R(X\EY) 

We observe that H(E\Y) < h(p e ), R(E\XY) > and 

R(X\EY) = (l-p e )R(X\{X = X'}Y)+p e R(X\{X ^ X'}Y) = p e \og{\X\-l) 
and the claim follows by rearranging the terms. □ 

2.4.2 Smooth Renyi Entropy 

Smooth min- and max-entropies were introduced by Renner and Wolf in |Ren05t 
RW05] 3 . They are families of entropy measures parametrized by non-negative 

2 Think of X' as guess of X based only on Y. 

3 The notion of smoothing a probability distribution was already used in [ILL89] . Further- 
more, a different kind of smooth Renyi entropy (not equivalent to the ones used here) was 
introduced by Cachin [Cac97] . 
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real numbers e, called the smoothness. It is a generalization of the notions of 
conditional min- and max-entropy defined in the last section. 



H^ c (X|y) := max min — log 



( PxYs(x,y) 



£ x,y \ Py(y) 

B. £ {X\Y) := minmaxlog \{x G X : Px ^ x ^ > }| 
e y -Py(y) 

where the maximum/minimum ranges over all events £ with probability Pr[£] > 
1 — s. PxY£(x,y) is the probability that £ occurs and X, Y take values x,y. 
Hence, the "distribution" Pxy£ is not normalized. 

For a given distribution Pxy, it is easy to compute its smooth min-entropy 
(max-entropy), simply by cutting a maximum mass of e off the largest (smallest) 
probabilities. 

Informally, the statement H^ C (X) = r can be understood that the standard 
min-entropy of X is close to r, except with probability e. As e can be interpreted 
as an error probability, we typically require e to be negligible in the security 
parameter. 

The reason why we only define the min- and max- versions of smooth Renyi 
entropy is that it is shown in [RW05J that for example smooth Renyi entropy 
of order a > 1 obeys 

H^'(X\Y) + l M±Ml > B&X\Y) > B^{X\Y) . 
a — 1 

and hence is equivalent to smooth min-entropy up to an additive term which 
depends on a and the smoothness e' . An analogue statement holds for a < 1 
and smooth max-entropy. As pointed out in |RW05j . for e = the relation 
above shows for example that H^-X") cannot be larger than H^ C (A) + log(l/e) 
whereas for the non-smooth versions, we only know from Equation (|2.ip that 
H 2 (X) < 2H oc (A). 

Most importantly, smooth min- and max-entropy have an operational mean- 
ing as they provide the answer to two fundamental information-theoretic prob- 
lems: 

• H^ c (A|y) is the maximum amount 4 of randomness that can be extracted 
from X and an independent random string R, such that except with prob- 
ability e, the extracted string looks completely uniform to an adversary 
who knows Y and learns R. This falls into the setting of privacy amplifi- 
cation, see Section E3] below. 



Hq(X|Y) is the minimal length 4 of an encoding computed from X and 
some additional independent randomness R, such that except with proba- 
bility e, someone knowing Y and R can reconstruct X from the encoding. 
This is a data-compression problem which is often called information rec- 
onciliation or error correction in cryptographic settings. 



up to some small additive error term which depends logarithmically on e 
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In [RW05| . it is shown that smooth min- and max-entropies enjoy sev- 
eral Shannon-like properties such as the chain rule (see Lemma 12.121 below), 
sub-additivity H^(XY) < H^ e '(X) + Hg'(Y) and monotonicity H^(X) < 
H^(XY)). 

Lemma 2.12 (Chain Rule [RW05]) For all e,e' > 0, we have 

b£*(x\Y) > H^(iy) - h (Y) - log (^) • 

As a consequence of the asymptotic equipartition property (cf. |CT91j ). 
smooth Renyi entropy is asymptotically equal to Shannon entropy in the fol- 
lowing sense. 

Lemma 2.13 ( |RW05|, lHR06| ) Let (Xi, Yi), . . . , (X n , Y n ) be n independent 
pairs of random variables distributed according to Pxy ■ Then, for any 

tie ( x n \Y n ) 
lim lim ! } -=R(X\Y). 

Note that such a lemma does not hold at all for non-smooth Renyi entropies. 

To provide some intuition about smooth min-entropy, the following lemma 
shows how to translate smooth min-entropy back to regular conditional min- 
entropy. 

Lemma 2.14 7/H^ (X|y) = r then there exists an event £' such that ~Pi(£') > 
1 — 2e and '0 <30 {X\£' , Y=y) > r — 1 for every y with Pys'{v) > 0- 

Proof: By definition of smooth min-entropy, there exists an event £ with 
Pr(£) > 1 — £ and such that H 00 (X£|Y = y) > r for all y, and thus Px£\y( x \v) 
< 2~ r for all x and y. Define £' by setting for all x and y 

Then obviously for any y with Pys'(y) > and thus Psnyiv) = Ps\y(.v) — 3> 

„ , , x gyg^W . 2~ r +1 
^x-|fy(» y) = —5 r-r - < p rr < 2 • 



Furthermore, 



1 - e < Pr(£ ) 
= Pr(f|P £ | r (F)<i)-Pr(P £ | y (F)<i) 

+ Pr(f |P £ , y (Y) > |) • Pr(P £ |y(Y) > \) (2.2) 

< lpr(P £ | y (Y) < |) +Pr(P £]y (Y) > ±) 
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from which follows that Pv(P g \ Y (Y) < \) < 2e. Thus we can conclude that 

Pr(£') > Pt(£'\P £IY (Y) > *) • Pr(P elY (Y) > *) 
>Pr(£\P £lY (Y)>±).Pr(P £lY (Y)>±) 

>l- £ - lpr(P e{Y (Y)< I) 

> 1 - 2s 

where the second-last inequality follows from (|2,2p , and noting (once more) that 
Pr(£ \P £ \ Y (Y) < i) < i □ 

2.4.3 Min-Entropy-Splitting Lemma 

For proving reductions between variants of oblivious transfer in Section T3.4I and 
the security of 1-2 OT in the bounded-quantum storage in Chapter El we will 
make use of the following min-entropy splitting lemma. Note that if the joint 
entropy of two random variables Xq and X\ is large, then one is tempted to 
conclude that at least one of Xq and X\ must still have large entropy, e.g. half 
of the original entropy. Whereas this is indeed true for Shannon entropy, it 
is in general not true for min-entropy. The following lemma, though, which 
first appeared in a preliminary version of [Wul07], shows that it is true in a 
randomized sense. 

Lemma 2.15 (Min-Entropy-Splitting Lemma) Let e > 0, and let Xq,Xi 
be random variables with ^^(XqXi) > a Then, there exists a random variable 
C e {0, 1} such that H^(Xi_ c C) > a/2. 

Proof: Below, we give the proof for e = 0, i.e., for ordinary (non-smooth) min- 
entropy. The general claim for smooth min-entropy follows immediately by 
observing that the same argument also works for non-normalized distributions 
with a total probability smaller than 1. 

We extend the probability distribution Px Xi a s follows to Px XiC- Let 
C = 1 if PxAXl) > 2~ a/2 and C = otherwise. We have that for all x u 
-PxicOzi) 0) either vanishes or is equal to Pjfi(^i)- In any case, Pxic(xi,0) < 

2 -a/2_ 

On the other hand, for all x\ with Px 1 c(xi, 1) > 0, we have that Px\o{x\, 1) = 
Pxx{ x i) > 2~ a l 2 and therefore, for all xq, 

Px oXl c(x ,xi, 1) < 2- Q = 2- a ' 2 ■ 2~ a / 2 < 2- a l 2 P Xl ( Xl ). 

Summing over all x\ with Px oXl c( x Oi x iA) > 0, and thus with P Xl c( x i, 1) > 0, 
results in 

Px c(x ,l) < ^2^/ 2 P Xl (x!) < 2- Q / 2 . 

This shows that Pxi-cc( x , c) < 2~ a l 2 for all x,c. □ 

The corollary below follows rather straightforwardly by noting that (for 
normalized as well as non-normalized distributions) H oc (XoXi|Z) > a holds 
exactly if Hoo(XoXi|Z = z) > a for all z, applying the Min-Entropy Splitting 
Lemma, and then using the chain rule, Lemma 12.121 
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Corollary 2.16 Let e > be given, and let Xo,X±, Z be random variables with 
H ! ^ Xi (XqXi\Z) > a. Then, there exists a binary random variable C G {0, 1} such 
that for e' > 0, 

R e + e '(X^ c \ZC) > a/2-1- log(l/e')- 
2.4.4 Entropy of Quantum States 

As pointed out in [RK05J, Renyi entropy H a (p) can also be denned for a quan- 
tum state p G Vi/H). For a G [0, oo] and p G V(7i), we have 

H Q (p) :=-^ log (tr (//*)). 
1 — a 

In the limit cases a — > and a — > oo, we obtain Ho(/o) = log(rank(p)) and 
Hoo(p) = — log (A inax (p)), where A max (p) denotes the maximum eigenvalue of p. 
For a = 2, we obtain the collision entropy H^p) = — log Af), where {Aj}j 
are the eigenvalues of p. 

For a classical random variable X encoded in px = Ylx Px{x)\x)(x\ , it holds 
that that R a (p x ) = H a (X). 

For deriving our version of the privacy-amplification theorem in the next 
section, we need the slightly more involved version of quantum conditional 
min-entropy from [Ren05]. 

Definition 2.17 ([Ren05]) Let pab G V{H a ® Kb) and a B G V(H B )- The 
min-entropy of pab relative to ob is 

H min (pAB|o"B) : = - log A 

where A is the minimum real number such that A - \a®°~b ~ Pab is non-negative. 
The min-entropy of pab given TCb is 

H m in(pAB|-B) : = SUpH min (p j 4s|0"B) 

where the supremum ranges over all ob £V{TLb)- 

Similar to the classical case, the smooth version can be defined as follows. 

Definition 2.18 ( |Ren05p Let p A B G V(H A ®H B ), <J B G V(H B ), and e > 0. 
The e-smooth min-entropy of pab relative to ob is 

H-min(PAB\o-B) '■= SUp H min (p AB \ B ) 
Pab 

where the supremum ranges over the set B £ (pab) containing all Hermitian, 
non-negative operators ~p AB acting on TLa ®TL b such that S(~p AB , Pab) < 2e 

and tT(~p~AB) — !• 

The e-smooth min-entropy given TCb is 

Rmm(pAB\B) := SUp (pAB \ °~B ) 

where the supremum ranges over all a B G V(TL B ). 
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To compute H^ in (px b\o~ b) where pxB is a cq-state, the supremum can be 
restricted to states ~Pxb G B s {pxb) which are classical on Hx as well |Ren05t 
Remark 3.2.4]. 

There is a chain rule for smooth min-entropy, proven in |Ren051 Lemma 
3.2.9]. 

Lemma 2.19 f |Ren05| ) Let p XU E G V{H X ®Uu® He), <?u G V{Hu), and 
let oe G V^He) be the f u ^V mixed state on the image of pe, and let e > 0. 
Then 

^■mmiPXUEWu) ~ H max (p£) < Hf nin (pxUE\o'U ® &e)- 

The following two lemmas state that dropping a quantum register cannot 
increase the (smooth) min-entropy. 

Lemma 2.20 Let Pxuq G 'PiTix <8 Hu <8> Wq) 6e a ccq-state. Then, 

H-min(pxUQ\Pu) > H min (/3x(7|PC/)- 

Proof: For A := 2" ^UpxuM ^ we h ave b y Definition [ZT7] that A • 1* <S> Pu ~ 
Pxu > 0. Using that both X and U are classical, we derive that for all x, u, it 
holds X-pu—Pxu > 0, where p u and p xu are shortcuts for the probabilities Pu(u) 
and Pxu(x,u). Let the normalized conditional operator ~pQ U be the quantum 
state conditioned on the event that X = x and U = u, i.e. 

^Pxu~Pq U <8 |xu)(xu| = Pqxu- 

x,u 

Then, 

A • p u pg" (8 — p xu pg U (8 |xu)(xn| > 0. 

Because of pg" < 1q, we get 

A • p u 1q (8) — p xu ~Pq U (8 |ani)(:ra| > 0. 

.r.u 

Therefore, A • Iqx ® Pu ~ Pqxu > holds, from which follows by definition 

that Krain(PXUQ\Pu) > -log(A). □ 

Lemma 2.21 Let Pxuq G V(Hx <8 (8 Hq) &e a ccq-state and let e > 0. 
T/ien 

H min(PXC/o|Pt/) > H^ in (pxC/|PC/)- 

Proof: After the remark after Definition ^. 18l above. there exists o~xu G B e (pxi/) 
classical on TLx®Hu such that H^j^pxi/lPi/) = H m i n (o"x[/|o";7). Because both 
X and U are classical, we can write oxu = Ylx u Pxu\xu)(xu\ and extend it 
to obtain oxuq '■ = Ylx uPxu\xu)(xu\ (8 Tq U ■ Lemma 12.201 from above yields 
H m i n (<rx[/|er[/) < H min (o-xi/Qkf/)- We nave by construction that 5(a X UQ, Pxuq) = 
o~{<?xu,Pxu) < 2e. Therefore, o X UQ G B £ (/>x{/q) and H min (o-xc/Q|o"[/) < 

H min(PXC/Q|p[/)- □ 
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2.5 Two-Universal Hashing and Privacy Amplifica- 
tion against Quantum Adversaries 

2.5.1 History and Setting of Privacy Amplification 

Assume two parties Alice and Bob share some information X which is only 
partly secure in the sense that an adversary Eve has some partial knowledge 
about it. Privacy Amplification, introduced by Bennett, Brassard, and Robert 
[BBR88] , is the art of transforming this information X into a highly secure key 
K by public discussion. The honest parties want to end up with an almost 
uniformly distributed key K about which Eve has only negligible information 
given the communication. 

A common way to achieve this is to have Alice pick a hash function / at 
random from a two-universal class of hashing functions (see next section for 
the definition), apply it to X and announce it to Bob, who applies it to X as 
well. Due to the randomizing properties of a two-universal function, the output 
f(X) is close to uniformly distributed from Eve's point of view. As shown 
in |BBR88j and by Impagliazzo, Levin, Luby [ILL89J and Bennett, Brassard, 
Crepeau, and Maurer [BBCM95], the classical privacy amplification theorem or 
left-over hash lemma (see Corollary 12.271 below) states that if Eve has some 
classical knowledge W about X, a secure key of length roughly the uncertainty 
of Eve about X (measured in terms of min-entropy) can be extracted by two- 
universal hashing. It is pointed out in [RW05J, that the maximum amount 
of extractable randomness is essentially given by the conditional smooth min- 
entropy H^(X|iy). 

It is interesting to investigate the case when Eve holds quantum infor- 
mation about X. This scenario has been considered by Konig, Maurer, and 
Renner [KMR05, IRK051 IRen05| and the results reproduced below show that 
two-universal hashing works just as well against quantum as against classical 
adversaries. 

We note that unlike in the classical case, where many other forms of ran- 
domness extractors are known, two-universal hashing is essentially the only 
way to perform privacy amplification against quantum adversaries. 5 This tool 
is one of the key ingredients in all protocols presented in this thesis. It has 
been widely used in other applications as well, for example in security proofs 
of quantum-key-distribution schemes by Christandl, Renner, Ekert, Kraus, and 
Gisin [CRE041 IKGRMI IRGK051 IRen05j . 

2.5.2 Two-Universal Hashing 

An important tool we use is two-universal hashing. 

Definition 2.22 A class J- n of hashing functions from {0, l} n to {0, 1}^ is 
called two-universal, if for any pair x,y £ {0, l} n with x ^ y, and F uniformly 

5 In a recent paper, Konig and Terhal KT06 exhibit some extractors which work against 
quantum adversaries, but the parameters are far from the classical ones. 
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chosen from T n , it holds that 

P[F{x)=F{y)] <1 

We can also define a slightly stronger notion of two-universality as follows: 

Definition 2.23 A class T n of hashing functions from {0, l} n to {0, 1}^ is 
called strongly two-universal, if for any pair x,y S {0, l} n with x ^ y, and F 
uniformly chosen from T n , the random variables F(x) and F(y) are independent 
and uniformly distributed over {0, l} e . 

Several two-universal and strongly two-universal classes of hashing functions 
are such that evaluating and picking a function uniformly and at random in T n 
can be done efficiently, as pointed out by Wegman and Carter [CW771 fWC79| . 

2.5.3 Privacy Amplification against Quantum Adversaries 

In the following, we consider the situation where a hash function is picked 
randomly from T n and applied to a classical value X £ {0, 1}™ which is cor- 
related with a quantum register He- Formally, starting with the cq-state 
Pxe = X^e{o,i} n Px(x) \x){x\ ® p x E , we obtain 

Pf(x)fe = E E i*x*i®i/x/i® E p x(*)Ph- (2-3) 

The following privacy-amplification theorem in the presence of quantum adver- 
saries was first derived in [RK05J . The version below is from [Ren05 , Corollary 
5.6.1] 6 . 

Theorem 2.24 (Privacy Amplification |Ren05j ) Let p X B G V(Hx®'Hb) 
be a cq-state, where X takes values in {0, 1}" . Let T n be a two-universal family 
of hash functions from {0, l} n to {0, l} 1 , and let e > 0. Then, for the ccq-state 
Pf(x)fb defined by (|2.3H . it holds 

${pf(x)fb, 1 ® Pfb) < e + l -2-^^\ B ^ . 

For large parts of this thesis, slightly weaker forms of this theorem are used. 
These are derived in the following. 

Corollary 2.25 Let pxue be a ccq-state, where X takes values in {0, l} n , U in 
the finite domain IA and register E contains q qubits. Let J- n be a two-universal 
family of hash functions from {0, l} n to {0, 1} , and let e > 0. Then, for the 
cccq-state Pf(x)fue defined analogous to (]2.3|) . it holds 

S{pf { x)fue,1®Pfue) < i 2 -*( H ~™-'-') +e. (2.4) 

Note that in [Ren05| . the distance from uniform is defined in terms of the trace-norm 
distance which is twice the variational distance used in this thesis. 
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Recall that by the definition of the trace-distance, we have that if the right- 
most term of (|2.4p is negligible, i.e. say smaller than 2~ A ™, then this situation 
is 2~ An -close to the ideal situation where F(X) is perfectly uniform and inde- 
pendent of F, U and E. In particular, replacing F{X) by an independent and 
uniformly distributed bit results in a common state which essentially cannot be 
distinguished from the original one. 

Proof: In our case, the quantum register B from Theorem 12.241 consists of a 
classical part U and a quantum part E. Denoting by o~e the fully mixed state 
on the image of pg, we only need to consider the term in the exponent to derive 
Theorem 12.251 as follows 

H e min (pxuE\UE) > U e min (pxuE\pu ® oe) 

> H e min (pxUE\Pu) - H m ax(PE) (2.5) 

> B\ £ min (pxu\pu) ~ H max (p s ) (2.6) 
= R e 00 (X\U)-q. 

The first inequality follows by Definition 12.181 of H^ in as supremum over all 
ajjE- Inequality (12. 5p is the chain rule for smooth min-entropy (Lemma 12. 19p . 
Inequality (|2.6p uses that the smooth min-entropy cannot decrease when drop- 
ping the quantum register which is proven in Lemma [2.211 from the last section. 
The last step follows by assumption about the quantum register and observ- 
ing that the state pxu is classical and the quantum Definition 12.181 therefore 
reduces to classical smooth min-entropy. □ 

The following corollary is a direct consequence of Corollary 12.251 In Chap- 
ter [3 this lemma will be useful for proving the binding condition of our com- 
mitment scheme. Recall that for X £ {0, l} n , B Sn (X) denotes the set of all 
n-bit strings at Hamming distance at most 5n from X and B Sn : = \B Sn (X)\ is 
the number of such strings. 

Corollary 2.26 Let pxi/E be a ccq-state, where X takes values in {0, l} n , U 
in the finite domain IA and register E contains q qubits. Let X be a guess for 
X obtained by learning U and measuring E, and let e > 0. Then, for all 5 < \ 
it holds that 

P[X € B 5n (X)] < 2-|( H So( x l c/ )-9- 1 )+ 1 °g( B ' n ) + 2e • B Sn . 

In other words, given some classical knowledge U and a quantum memory of 
q qubits arbitrarily correlated with a classical random variable X, the prob- 
ability to find X at Hamming distance at most 5n from X where nh{5) < 
\{K%{X\U)) - q) is small. 

Proof: Here is a strategy to try to bias F{X) when given X and F £r J- n : 
Sample X' Er B Sn (X) and output F(X'). Note that, using p succ as a short 
hand for the probability P[le B <5n (X)] to be bounded, 

P[F(X>) = F(X)]=^+(l- P -^y- 

_ 1 i Psucc 

~ 2 2 • B Sn ' 
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where the first equality follows from the fact that if X' ^ X then, as J- n is 
two-universal, P[F(X) = F(X')] = ^. Note that, given F and U and being 
allowed to measure E, the probability of correctly guessing a binary F(X) is 
upper bounded by \ + f>{ y PF{x)FVE^ 1 ® Pfue) [FvdG99] . In combination with 
Corollary 12.251 (with £ = 1) the above results in 

1 Psucc 1 1 l( H5o (X|£7)- g -l) , 

2 2 • P> ~ 2 2 

and the claim follows by rearranging the terms. □ 



2.5.4 Classical Privacy Amplification 

The classical privacy-amplification theorem follows as special case from the 
results above. When there is no quantum correlation, we (almost) recover the 
well-known classical left-over hash lemma [ILL891 IBBCM951 IHILX99] : 

Corollary 2.27 Let X be a random variable over {0, l} n , and let F denote the 
uniform choice of a hash function in a two-universal family of hash functions 
J- n mapping from {0, l} n to {0, l} e . Then 

This corollary (with collision- instead of min-entropy in the exponent on the 
right-hand side) cannot immediately be derived from Theorem 12.241 above, but 
rather from its proof in |Rcn05j. The reason for this is that the easiest way 
of proving both Theorem 12.241 and Corollary 12.271 is by directly considering 
collision entropy instead of min-entropy. On the other hand, relaxing the notion 
of collision entropy to smooth min-entropy gives the natural operative meaning 
(see Section [2.4.2p and interestingly, it only looks like we are losing something 
by doing that, but in fact this achieves optimality |RW05] . 



Chapter 3 

Classical Oblivious Transfer 



Most of the results presented in this chapter are published in [DFSS06J . 

3.1 Introduction and Outline 

As already mentioned in Section fl.il l-out-of-2 Oblivious- Transfer, 1-2 OT for 
short, is a two-party primitive which allows a sender to send two bits (or, more 
generally, strings) Bq and B\ to a receiver, who is allowed to learn one of the two 
according his choice C. Informally, it is required that the receiver only learns 
Be but not -Bi-c (what we call security for the honest sender, hence sender- 
security), while at the same time the sender does not learn C {receiver- security). 
Interestingly, 1-2 OT was introduced by Wiesner around 1970 (but only pub- 
lished much later [Wic83j) under the name of "multiplexing" in the context of 
quantum cryptography, and, inspired by Rab81j where a different flavor was 
introduced, later re-discovered by Even, Goldreich and Lempel [EGL82J . 

1-2 OT turned out to be very powerful as Kilian [Kil88] showed it to be 
sufficient for secure general two-party computation. For this reason, much 
effort has been put into reducing 1-2 OT to seemingly weaker flavors of OT, 
like Rabin OT, 1-2 XOT, etc. |Cre87l IBC971 , ICac98l IWolOOl IBCW031 ICS06] . 

In this chapter, we focus on a slightly modified notion of 1-2 OT, which we 
call Randomized 1-2 OT, Rand 1-2 OT for short, where the bits (or strings) Bq 
and B\ are not input by the sender, but generated uniformly at random during 
the Rand 1-2 OT and then output to the sender. It is still required that the 
receiver only learns the bit (or string) of his choice, Be, whereas the sender 
does not learn any information on C. It is obvious that a Rand 1-2 OT can 
easily be turned into an ordinary 1-2 OT simply by using the generated Bq 
and B\ to mask the actual input bits (or strings). Furthermore, all known 
constructions of unconditionally secure 1-2 OT protocols make implicitly the 
detour via Rand 1-2 OT. 

In a first step, we observe that the sender-security condition of a Rand 1-2 OT 
of bits is equivalent to requiring the XOR Bq © B\ to be close to uniformly dis- 
tributed from the receiver's point of view. The proof is very simple, and it is 
kind of surprising that — to the best of our knowledge — this has not been real- 
ized before. We then ask and answer the question whether there is a natural 
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generalization of this result to Rand 1-2 OT of strings. Note that requiring 
the bit wise XOR of the two strings to be uniformly distributed is obviously 
not sufficient. We show that the sender-security for Rand 1-2 OT of strings 
can be characterized in terms of non- degenerate linear functions (bivariate bi- 
nary linear functions which non-trivially depend on both arguments, as defined 
in Definition I3.3() : sender-security holds if and only if the result of applying 
any non-degenerate linear function to the two strings is (close to) uniformly 
distributed from the receiver's point of view. 

We then show the usefulness of this new understanding of 1-2 OT. We 
demonstrate this on the problem of reducing 1-2 OT to weaker primitives. Con- 
cretely, we show that the reducibility of an ordinary 1-2 OT to weaker flavors 
via a non-interactive reduction follows by a trivial argument from our charac- 
terization of sender-security. This is in sharp contrast to the current literature: 
The proofs given by Brassard, Crepeau and Wolf [BC971 IWolOOL IBCW03] for 
reducing 1-2 OT to 1-2 XOT, 1-2 GOT and 1-2 UOT (we refer to Sectional 
for a description of these flavors of OT) are rather complicated and tailored 
to a particular class of privacy-amplifying hash functions; whether the reduc- 
tions also work for a less restricted class is left as an open problem [BCW03, 
page 222]. And, the proof given by Cachin |Cac98j for reducing 1-2 OT to one 
execution of a general UOT is not only complicated, but also incorrect, as we 
will point out. Thus, our characterization of the condition for sender-security 
allows to simplify existing reducibility proofs and, along the way, to solve the 
open problem posed in [BCW03| . as well as to improve the reduction parameters 
in most cases, but it also allows for new, respectively until now only incorrectly 
proven reductions. In recent work by Wullschleger [Wul07], the analysis of these 
reductions is further improved. 

Furthermore, we extend our result and show how our characterization of 
Rand 1-2 OT in terms of non-degenerate linear functions translates to 1-n OT. 

As historical side note, we note that the original motivation for character- 
izing sender-security with the help of NDLFs was to prove sender-security of 
the quantum protocol for 1-2 OT described in Chapter [6l We point out by an 
example in Section 13.61 at the end of this chapter why this approach does not 
work. 



Formally capturing the intuitive understanding of the security of 1-2 OT is a 
non-trivial and subtle task. For instance requiring the sender's view to be 
independent of the receiver's choice bit C is too strong a requirement, since his 
input might already depend on C. The best one can hope for is that his view is 
independent of C conditioned on his input Bq,B\. Security against a dishonest 
receiver is even more subtle. We refer to the security definition by Crepeau, 
Savvides, Schaffner and Wullschleger of [CSSW06J, where it is argued that this 
definition is the "right" way to define unconditionally secure 1-2 OT. In their 
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model, a secure 1-2 OT protocol is as good as an ideal 1-2 OT functionality. 

In this thesis, we will mainly focus on a slight modification of 1-2 OT, which 
we call Randomized 1-2 OT (although sender-randomized 1-2 OT would be a 
more appropriate, but also rather lengthy name). A Randomized 1-2 OT, or 
Rand 1-2 OT for short, essentially coincides with an ordinary 1-2 OT, except 
that the two bits -Bo an d B\ are not input by the sender but generated uniformly 
at random during the protocol and output to the sender. This is formalized in 
Definition 13.11 below. 

There are two main justifications for focusing on Rand 1-2 OT. First, an 
ordinary 1-2 OT can easily be constructed from a Rand 1-2 OT: the sender 
can use the randomly generated Bq and B\ to one-time-pad encrypt his input 
bits for the 1-2 OT, and send the masked bits to the receiver (as first realized 
by Beaver |Bea95| ). For a formal proof of this we refer to the full version 
of [CSSW06]. And second, all information-theoretically secure constructions of 
1-2 OT protocols we are aware of in fact do implicitly build a Rand 1-2 OT and 
use the above reduction to achieve 1-2 OT. 

We formalize Rand 1-2 OT in such a way that it minimizes and simplifies 
as much as possible the security restraints, while at the same time remaining 
sufficient for 1-2 OT. 

Definition 3.1 (Rand 1-2 OT) An e-secure Rand 1-2 OT is a protocol be- 
tween sender S and receiver R, with R having input C G {0, 1} (while S has no 
input), such that for any distribution of C, the following properties hold: 

e-Correctness: For honest S and R, S has output Bq,B\ G {0,1} and R has 
output Bq, except with probability e. 

e- Receiver-security: For honest R and any (dishonest) S with output V , 



e-Sender-security: For honest S and any (dishonest) R with output W , there 
exists a binary random variable D such that 



The condition for receiver-security simply says that S learns no information on 
C, and sender-security requires that there exists a choice bit D, supposed to be 
C, such that when given the choice D and the corresponding bit Bq, then the 
other bit, Bi_d, is completely random from R's point of view. 

We would like to point out that the definition of Rand 1-2 OT given in 
[CSSW06J look syntactically slightly different than our Definition 13. 11 However, 
it is not hard to see that they are actually equivalent. The main difference is 
that the definition in |CSSW06] involves an auxiliary input Z, which is given 
to the dishonest player, and receiver- and sender-security as we define them are 
required to hold conditioned on Z for any Z. Considering a constant Z imme- 
diately proves one direction of the claimed equivalence, and the other follows 
from the observation that if receiver- and sender-security as we define them 
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hold for any distribution Pb B!C (respectively Pc), then they also hold for the 
conditional distribution Pb BiC\Z=z (respectively Pc\z=z)- The other difference 
is that in [CSSW06], in the condition for sender-security of Rand 1-2 OT, -Bi_d 
is required to be random and independent of W, Bp, D and C. This of course 
implies our sender-security condition (which is without C), but it is also implied 
by our definition as C may be part of the output W . We feel that simplifying 
the definitions as we do, without changing their meaning, allows for an easier 
handling. 

3.2.2 Randomized 1-2 OT of Strings 

In a 1-2 String OT the sender inputs two strings of the same length, and the 
receiver is allowed to learn one and only one of the two. Formally, for any 
positive integer I, 1-2 OT e and Rand 1-2 OT^ can be defined along the same 
lines as 1-2 OT and Rand 1-2 OT of bits: the binary random variables Bq and 
B\ as well as unif in Definition 13.11 are simply replaced by random variables So 
and S\ and unif^ with range {0, l} e . 

3.3 Characterizing Sender-Security 



It is well known and it follows from sender-security that in a (Rand) 1-2 OT 
the receiver R should in particular learn essentially no information on the XOR 
Bq © B\ of the two bits. The following proposition shows that this is not only 
necessary for sender-security but also sufficient. 

Theorem 3.2 The condition for e- sender- security for a Rand 1-2 OT is satis- 
fied for a particular (possibly dishonest) receiver R with output W if and only 



Before going into the proof which is surprisingly simple, consider the follow- 
ing example. Assume a candidate protocol for Rand 1-2 OT and a dishonest 
receiver R which is able to output W = if Bq = = B\ , W = 1 if Bq = 1 = B\ 
and W = or 1 with probability 1/2 each in case Bq ^ B\. Then, it is easy to 
see that conditioned on, say, W = 0, (Bq,B x ) is (0,0) with probability \, and 
(0, 1) and (1,0) each with probability \, such that the condition on the XOR 
from Theorem 13.21 is satisfied. On the other hand, neither Bq nor B\ is uni- 
formly distributed conditioned on W = 0, and it appears as if the receiver has 
some joint information on Bq and B\ which is forbidden by a (Rand) 1-2 OT. 
But that is not so. Indeed, the same view can be obtained when attacking an 
ideal Rand 1-2 OT: submit a random bit C to obtain Be and output W = Be- 
In the light of Definition 13.11 if W = we can split the event (Bq, B\) = (0, 0) 
into two disjoint subsets (subevents) £q and E\ such that each has probability 
|, and we define D by setting D = if £ q or (Bq, B\) = (0, 1), and D = 1 if 
E\ or (Bq,B{) = (1,0). Then, obviously, conditioned on D = d, the bit B\_d is 
uniformly distributed, even when given B&. The corresponding holds if W = 1. 



3.3.1 The Case of Bit OT 
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Proof: The "only if" implication is well-known and straightforward. For the 
"if" implication, we first argue the perfect case where P(b ®Bi)w = fuNIF ' Pw- 
For any value w with Pw(w) > 0, the non-normalized distribution Pb Biw(', '> w ) 
can be expressed as depicted in the left table of Figure 13. l\ where we write 
a for PboBiwCOjO,™), b for Pb oSiW (0, 1, w), c for P Bo Biw(hQ>w) and d for 
PboBxW^-, 1) w). Note that a + b + c + d = Pw{w) and, by assumption, 
a + d = b + c. Due to symmetry, we may assume that a < b. We can then 
define -D by extending Pb B x W {"■>'■, w ) to PboBlDwO) '> 'j w ) as depicted in the 
right two tables in Figure l3~Tl Pb b x dw{^i 0, 0, u;) = -Pb o _b 1 dw / (0, 1, 0, u>) = a, 
Pb b 1 d wO-j 0) 0, it;) = PsoBiDwCl) 1)0, io) = c etc. Important to realize is that 
Pb BiDw(', ') ') w ) is indeed a valid extension since by assumption c+(b—a) = d. 
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d 



a 


a 


c 


c 






b—a 





b—a 



Pb BiW(-, -,w) 



PBoBxDwi', •, 0, w) Pb B!Dw(-, •> 1) w) 



Figure 3.1: Distributions Pb Bxw{-i '■> w ) an< l Pb b 1 dw{-, •, •, w) 



It is now obvious that Pb b 1 dw{'i •> 0, it;) = |Pb dw(-, 0, u;) as well as 
-PboSiDVf(') ') 1)^) = ^-PBiDiy(") 1)^)- This finishes the perfect case. 

Concerning the general case, the idea is the same as above, except that one 
has to take some care in handling the error parameter e > 0. As this does not 
give any new insight, and we anyway state and fully prove a more general result 
in Theorem 13.61 we skip this part of the proof. 1 □ 



3.3.2 The Case of String OT 

The obvious question after the previous section is whether there is a natural 
generalization of Theorem 13.21 to 1-2 OT e for I > 2. Note that the straightfor- 
ward generalization of the XOR-condition in Theorem 13.21 requiring that any 
receiver has no information on the bit-wise XOR of the two strings, is clearly 
too weak, and does not imply sender-security for Rand 1-2 OT^: for instance 
the receiver could know the first half of the first string and the second half of 
the second string. 



The Characterization 

Let I be an arbitrary positive integer. 

Definition 3.3 A function j3 : {0, 1} x {0, l} 1 — ► {0, 1} is called a non- 
degenerate linear function (NDLF) if it is of the form 

13 : (s ,si) h-> (a ,so> © 



1 Although the special case £ = 1 in Theorem 13.61 is quantitatively slightly weaker than 
Theorem EOl 
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for two non-zero ao,a\ G {0, 1} , i.e., if it is linear and non-trivially depends 
on both input strings. 

Even though this is the main notion we are using, the following more relaxed 
notion allows to make some of our claims slightly stronger. 

Definition 3.4 A binary function [5 : {0, 1} £ x {0, 1} £ — * {0, 1} is called 2- 
balanced if for any sq, s\ G {0, 1} £ the functions /3(sq, •) and /?(-, s\) are balanced 
in the usual sense, meaning that \{o~i G {0,1}^ : (3(sq, cti) = 0}| = 2^/2 and 
\{a G {0,1} £ : P(a o , 8l ) = 0}\ =2?/2. 

The following is easy to see and the proof is omitted. 

Lemma 3.5 Every non- degenerate linear function is 2-balanced. 

In case I = 1, the XOR is a NDLF and thus 2-balanced, and it is the only NDLF 
and up to addition of a constant the only 2-balanced function. Based on this 
notion of non-degenerate linear functions, sender-security of Rand 1-2 String OT 
can be characterized as follows. 

Theorem 3.6 The condition of s -sender- security for a Rand 1-2 OT 1 is satis- 
fied for a particular (possibly dishonest) receiver R with output W if 

^(-P/JCSo.soWj-Pqnif • Pw) < e/2 2e+1 

for every NDLF (5, and, on the other hand, e- sender- security may be satisfied 
only if 6(P l3{SotSl)w ,Pi JmF ■ P w ) < e for every NDLF (3. 

The number of NDLFs is exponential in £, namely (2^ — l) 2 . Nevertheless, we 
show in Section lBTil that this characterization turns out to be very useful. There, 
we will also argue that an exponential overhead in t in the sufficient condition 
is unavoidable. The proof of Theorem 13.61 also shows that the set of NDLFs 
forms a minimal set of functions among all sets that imply sender-security. In 
this sense, our characterization is tight. 

At first glance, Theorem l3.6l appears to be related to the so-called (information- 
theoretic) XOR-Lemma, commonly attributed to Vazirani [Vaz86j and nicely 
explained by Goldreich [Gol95], which states that a string is close to uniform 
if the XOR of the bits of any non-empty substring are. As far as we can see, 
neither follows Theorem 13.61 from the XOR-Lemma in an obvious way nor can 
it be proven by modifying the proof of the XOR-Lemma, as given in [Gol95], 

Furthermore, we would like to point out that Theorem 4 in [BCW03] also 
provides a tool to analyze sender-security of 1-2 OT protocols in terms of linear 
functions; however, the condition that needs to be satisfied is much stronger 
than for our Theorem 13. 6t it additionally requires that one of the two strings is a 
priori uniformly distributed from the receiver's point of view. 2 This difference is 
crucial, because showing that one of the two strings is uniform (conditioned on 

2 Concretely, it is additionally required that every non-trivial parity of that string is uniform, 
but by the XOR-Lemma this is equivalent to the whole string being uniform. 
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the receiver's view) is usually technically involved and sometimes not even pos- 
sible, as the example given after Theorem 13.21 shows. This is also demonstrated 
by the fact that the analysis in [BCW03J of the considered 1-2 OT protocol 
is tailored to one particular class of privacy- amplifying hash functions, and it 
is stated as an open problem how to prove their construction secure when a 
different class of hash functions is used. The condition for Theorem 13.61 on the 
other hand, is naturally satisfied for typical constructions of 1-2 OT protocols, 
as we shall see in Section f3.41 As a result, Theorem 13.61 allows for much simpler 
and more elegant security proofs for 1-2 OT protocols, and, as a by-product, 
allows to solve the open problem from [BCW03J. We explain this in detail in 
Section 13.41 and the interested reader may well jump ahead and save the proof 
of Theorem 13.61 for later. 

Proof of Theorem 13.61 ("only if" part) 

We start with the proof for the "only if" part of Theorem 13.61 In fact, a 
slightly stronger statement is shown, namely that e-sender-security implies 
fi{Pp(S ,Si)Wi AjNIF • Pw) < £ f° r an y 2-balanced function. 

According to Definition 13.11 e-sender-security for Rand 1-2 OT is satisfied 
for a receiver R with output W if there exists a random variable D with range 
{0, 1} such that 

\ ^2 \ p Si- D s D Dw{si-d,Sd,d,w) -2~ e Ps D Dw(sd,d,w)\ <e. 

w,d,so,si 

In order to upper bound 

^{PpiSo^w^vmF • Pw) = 2^2 \ p /3(So,Si)w(b,w) - -Pw(w)\ 

w,b 

we expand the terms on the right hand side as follows. 

Pp(S ,Si)w( b , w ) = ^2P/3(s ,s 1 )Dw(b,d,w) 

d 

= ^2 ^2 Psi- D s D Dw(si-d,s d ,d,w) 
d s d' s l-d 

and 

Pw{w) = ^2^2Ps D Dw{sd,d,w) = ^2~ m • ^2 Ps D Dw(sd,d,w) 

d S d d s d' s l-d 

/3( s 0. 3 l)= f ' 

where the last equality holds because there are 2 e ~ 1 values for si_^ such that 
(3(sq,si) = 6, as j3 is a 2-balanced function. Using those two expansions we 
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conclude that 

8\P/3(S 0! Si)WiPumF • Pw) 

-\^Z^Z ^2 \ p Si- D s D Dw{si-d,Sd,d,w) -2~ i Ps D D\v(sd,d,w) 



w,b d s d' s i-d 

/3( s 0. s l)= 6 



= 2 ^2 \ p Si- D S D Dw{s\-d,Sd,d,w) -2 e Ps D Dw(s d ,d,w)\ < £. 
w,d,SQ,s\ 

where the first inequality follows follows from the above expansions and the 
triangle inequality and the last inequality is our initial assumption. □ 
The "if" part, which is the interesting direction, is proven below. 



The Case i = 2 

We feel that in order to understand the proof of Theorem 13.61 it is useful to 
first consider the case t = 2. Let us focus on trying to develop a condition that 
is sufficient for perfect sender-security. Fix an arbitrary output w, and consider 
an arbitrary non-normalized probability distribution Ps Siw(', •> w) of So and 
S\ when W = w. This is depicted in the left table of Figure [3721 where we write 
a for Pg Siw(®0, 00, w), b for Ps Si w(00, 01, w), etc. We may assume that 
a < b,c,d. We now extend this distribution to Ps SiDw(', "> •> w) similar as in 
the proof of Theorem 13. 2[ This is depicted in the two right tables in Figure 13.21 
We verify what conditions Ps Sxw('i'i w ) must satisfy such that Ps SiDW is 
indeed a valid extension, i.e., that Ps s 1 Dw('r,0,w) + Ps SiDw(', •> 1) w ) = 
PSoSiWi',',™)- 
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d—a 



PS S!DW{-, l,w) 



Figure 3.2: Distributions PsaSiw(', w) and Ps SiDw(;-,-,u>) 

For instance, looking at the second row and second column we get equation 
e + (b — a) = f. Altogether, we get the following system of equations. 



b + e = a + f 
c + e = a + g 
d + e = a + h 



b + i = a + j 
c + i = a + k 
d + i = a + I 



b + m = a + n 
c + m = a + o 
d + m = a + p 
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Note that if all these equations do hold for any w, then Ps SiDw(', "> "> ") is wen 
defined and satisfies Ps SiDw(-, ; 0, ■) = \Ps dw(', 0, •) and P5 SiDw(-, 1, ■) = 
\PsiDw{ m i 1) i n other words, perfect sender-security holds. 

The idea now is to show that the above equation system is equivalent to an- 
other equation system, in which every equation expresses that a certain NDLF 
applied to So and Si is uniformly distributed when W = w, which holds by 
assumption. 

For example, by adding all the equations in the original system while taking 
every second equation with negative sign, one gets the equation 

b + d + e + g + j + l + m + o = a + c + f + h + i + k + n+ p. 

Define the function (3 : {0, l} 2 x {0, l} 2 -► {0, 1} as follows. Let /3(s , si) be 
if the entry which corresponds to (so, si) in the left table in Figure [3721 appears 
on the left hand side of the above equation, and else we let f3(so,si) be 1. Then 
the above equation simply says that @(Sq, Si) = with the same probability as 
f3(So, Si) = 1 (when W = w). Note that it is crucial that in the above equation 
every variable a up to p occurs with multiplicity exactly 1. By comparing 
the function tables, it is now easy to verify that (3 coincides with the function 
(so,«i) i— * sq2 © si2> where Si2 denotes the second coordinate of Sj G {0, l} 2 , 
thus is a NDLF. 

One can now show (and we are going to do this below for an arbitrary £) 
that there are enough such equations, corresponding to NDLFs, such that these 
equations imply the original ones. This implies that if (3 (So, Si) is distributed 
uniformly and independently of W for every NDLF (3, then the original equation 
system is satisfied (for any w), and thus Ps SiDW is well-defined. 

Proof of Theorem [376] ("if" part). 

First, we consider the perfect case: if Pp(s ,Si)w equals -Ptjnif • Pw f° r every 
NDLF (3, then sender-security for Rand 1-2 OT^ holds perfectly. 

The Perfect Case: Since the case £ = 1 is already settled, we assume 
that £ > 2. We generalize the idea from the case 1 = 2. The main issue 
will be to transform the equations guaranteed by the assumption on the linear 
functions into the ones required for Ps S\Dw('i 0, w) + Ps SiDw(', •> L w) = 
Ps S!w(;-,w). 

Fix an arbitrary output w of the receiver, and consider the non-normalized 
probability distribution Ps Siw(', "> w). We use the variable p SQ , sl to refer to 
PsqSiw(sqi s li w )i an d we write o for the all-zero string (0, . . . , 0) G {0, 1} . We 
assume that p Q ,o < Po,si for any si G {0, 1} , we show later that we may do so. 
We extend this distribution to Ps S!Dw(', ~,w) by setting 

Ps s 1 dw(so,si,0,w) = p S0tO and Ps SiDw(so, si, 1, w) = p QjSl - p 0)0 (3.1) 

for any strings so, si G {0, 1} , and we collect the equations resulting from the 
condition that Ps Siw(; w) = Ps SiDw(-,'^,w) + P So s 1 Dw(-,-,h'^) needs 
to be satisfied: for any two so, s\ G {0, 1} \ {o} 

Pso,o + Po,si = Po,o + Pso,si ■ 

(3.2) 
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If all these equations do hold for any w, then as in the case of i = 1 or t = 2, the 
random variable D is well defined and Ps 1 „ D s D WD = ^tjnif* ' ^s D WD holds, 
since Ps SiDw(so, ^i, 0, w) does not depend on si and Ps SiDw(so, si, 1, w) not 
on so. 

We proceed by showing that the equations provided by the assumed uni- 
formity of /?(5o,Si) for any (5 imply the equations given by (|3.2p . Consider 
an arbitrary pair ao, a\ E {0, l} e \ {o} and let (5 be the associated NDLF, i.e., 
such that P(so,si) = (ao,so) © {0-1,81). By assumption, /3(So ; 5i) is uniformly 
distributed, independent of W. Thus, for any fixed w, this can be expressed as 

(3.3) 

tT ,tr 1 : VQ,"V 
(a ,£r >=(a 1 ,CT 1 ) (a ,£T ) 7 £<a 1 , CTl ) 

where both summations are over all o"0i°i E {0,1}^ subject to the indicated 
respective properties. Recall, that this equality holds for any pair ao,«i £ 
{0, 1}^ \ {o}. Thus, for fixed so, s\ G {0, 1} \ {o}, if we sum over all such pairs 
ao,a\ subject to (ao,so) = {ai,si) = 1, we get the equation 



E 

( a O> s o) = ( a l> s l) =1 < a 0'< :r 0) = ( a l- <T l> ( a 0> s Cl) = ( a l' s l) = 1 ( a 0' <T 0>^( a l' a l) 



which, after re-arranging the terms of the summations, leads to 
Y2 Y2 P<ro,<ri = Y2 Y2 P<ro,<n • 

(3.4) 

0-0,0-1 a o> a i : ao,(Ti a o> a i : 

(a ,s ) = (a 1 ,s 1 ) = l (a ,s ) = <a 1 ,s 1 > = l 

( a 0' CT 0> = < a l' CT l) (a Q ,(T )^{a 1 ,cr 1 ) 

We will now argue that, up to a constant multiplicative factor, equation (|3.4p 
coincides with equation (|3.2p . 

First, it is straightforward to verify that the variables p 0j0 and p so ,si occur 
only on the left hand side, both with multiplicity 2 2 ^~ 1 ) (the number of pairs 
ao,a\ such that (ao,so) = (ai,si) = 1), whereas p so ,o and p , Sl only occur on 
the right hand side, with the same multiplicity 2 2 ^~ 1 ). 

Now, we argue that any other Po- 0)(T1 equally often appears on the right and 
on the left hand side, and thus cancel out. Note that the set of pairs ao,ai, 
over which the summation runs on the left respectively the right hand side, 
can be understood as the set of solutions to a binary non-homogeneous linear 
equations system: 





Also note that the two linear equation systems consist of three equations and 
involve at least 4 variables, because ao,a\ 6 {0,1}^ and I > 2. Therefore, 
using basic linear algebra, one is tempted to conclude that they both have 
solutions, and, because they have the same homogeneous part, they have the 
same number of solutions, equal to the number of homogeneous solutions. How- 
ever, this is only guaranteed if the matrix defining the homogeneous part has 
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full rank. In our situation, this is precisely the case if and only if (co)°i) 
{(o,o), (so,o), (o, si), (so,si)}, where those four exceptions have already been 
treated above. It follows that the equations (|3.3p . which are guaranteed by 
assumption, imply the equations (|3.2|) . 

It remains to justify the assumption that p 0>0 < p , Sl for any s±. In general, 
we choose t E {0, 1} £ such that p Qit < Po,si for any si E {0, 1}^, and we set 
Ps SiDw{so,si,0,w) = p SQ ,t and Ps SiDw{so,si,l,w) = p Q , Sl - Po,t, resulting 
in the equation p SQit + £>o,si = Po,t + Ps ,si that needs to be satisfied for so E 
{0, 1} £ \ {o} and s\ E {0, l} e \ {t}. This equality, though, can be argued as for 
equation (|3.2p . which we did above, simply by replacing p^o,^ on both sides of 
(|3.3|) by Pao,cn®t (where © is the bit wise XOR). We may safely do so: doing 
a suitable variable substitution and using linearity of the inner product, it is 
easy to see that this modified equation still expresses uniformity of (3(So, Si). 
This concludes the proof for the perfect case. 

The General Case: Now, we consider the general case where there exists 
some e > such that S^Pp^^^w, Punif • Pw) — 2 _2 ^ 1 e for any NDLF (3. 
We use the observations from the perfect case but additionally keep track of 
the "error term". 

For any w with P\\r(w) > and any NDLF set 

£w,f3 = S{Pp(s ,Si)w{->w)> -Punif • Pw{w)) . 

Note that Y^w £ -u>,p = 5{Pp(S ,s 1 )W-,P\jmF • Pw) < 2" 2£_1 e, independent of f3. 
Fix now an arbitrary w with Pw(w) > 0. Then, (|3.3p only holds up to an 
error of 2e Wt p, where f3 is the NDLF associated to ao,ai. As a consequence, 
Equation (|3.4p only holds up to an error of 2 Y^p e Wj p and thus (|3.2p holds up 
to an error of <5 S0)Sl = 22 2 _ 2 J2p e Wj p , where the sum is over the 2 2e ~ 2 functions 
associated to the pairs ao,a\ with (ao,so) = (^li-si) = 1- Note that S SQjSl 
depends on w, but the set of /3's, over which the summation runs, does not. 
Adding up over all possible u>'s gives 

X/ ^ s °' Sl = 22^-2 X] = 22^-2 Ew >^ - 2 2<?£ • 

w w p p w 

Since (|3.2|) only holds approximately, -Psq^dw as in (|3.ip is not necessarily 
a valid extension, but close. This can obviously be overcome by instead setting 

Ps SiDw(so,si,0,w) = p S0tO ± 6' SOjSl and 
PsoS!Dw(so,si,l,w) =p , si - £> ,o ± #,' 0>Sl 

with suitably chosen 8' 80)Sl , 5" 0;Sl > with S' SOiSl + <5" QjSl = S SOiS1 , and with 
suitably chosen signs "+" or "— ". 3 Using that every Ps s 1 dw(so, si, 0, w) dif- 
fers from p S0tO by at most 5' s , it follows from a straightforward computation 

3 Most of the time, it probably suffices to correct one of the two, say, choose S' ao 31 — 
S SOtS1 and S'J ^ S1 = 0; however, if for instance p so ,o and p , si -p ,o are both positive but 
Ps s 1 w{so, si, w) = 0, then one has to correct both. 
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that 5(P Sl _ D s D Dw(-,-:0,w),P vmF Ps D Dw(-,0,w)) < J2 So , Sl S 's , Sl ■ The ^re- 
sponding holds for Ps S 1 dw('i 1)^)- It follows that 

8(PSi- D S D WD, PuNIfPSdWd) < ^ ^2( S 's ,si + S ao,si) = ^ X^ s °> s i < £ 

w so, si so,si w 

which concludes the proof. □ 

3.4 Applications 

In this section we will show the usefulness of Theorem 13.61 for the construction 
of 1-2 OT 1 , based on weaker primitives like a noisy channel or other flavors of 
OT. In particular, we will show that the reducibility of 1-2 OT to any weaker 
flavor of OT follows as a simple argument using Theorem 13.61 

3.4.1 Reducing 1-2 OT 1 to Independent Repetitions of Weak 
1-2 OTs 

Background 

A great deal of effort has been put into constructing protocols for 1-2 OT e 
based on physical assumptions like various models for noisy channels [CK88, 
DK S991 IDFMS04"! ICMW04] or a memory bounded adversary [(XM98llDin01bl 
DHRS04J, as well as into reducing 1-2 OT^ to (seemingly) weaker flavors of 
OT, like Rabin OT, 1-2 XOT, 1-2 GOT and 1-2 UOT [Cre87l IBC97] ICac981 
IWolOOl IBCW031 ICSD51 IWul07j . Note that the latter three flavors of OT are 
weaker than 1-2 OT in that the dishonest receiver has more freedom in choos- 
ing the sort of information he wants to get about the sender's input bits B$ 
and B\: Bq, B\ or Bq © B\ in case of 1-2 XOR-OT (which is abbreviated 
by 1-2 XOT), g(Bo,B\) for an arbitrary one-bit-output function g in case of 
1-2 Generalized-OT (1-2 GOT), and an arbitrary probabilistic Y with mutual 
information I(B Br,Y) < 1 in case of 1-2 Universal-OT (1-2 UOT).* 

All these reductions of 1-2 OT to weaker versions follow a specific con- 
struction design, which is also at the core of the 1-2 OT protocols based on 
noisy channels or a memory-bounded adversary. By repeated independent ex- 
ecutions of the underlying primitive, S transfers a randomly chosen bit string 
X = (X ,Xx) G {0, 1}™ x {0, l} n to R such that: 

1. depending on his choice bit C, the honest R knows either X$ or X\, 

2. any S has no information on which part of X R learned, and 

3. any R has some uncertainty in X. 

4 As a matter of fact, reducibility has been proven for any bound on I(BoBi;Y) strictly 
smaller than 2. Note that there is some confusion in the literature in what a Universal OT, 
UOT is: In [BC97I IWolOOl IBCW03] . a UOT takes as input two bits and the receiver is doomed 
to have at least one bit or any other non-trivial amount of Shannon entropy on them; we denote 
this by 1-2 UOT. Whereas in |Cac98j . a UOT takes as input two strings and the receiver is 
doomed to have some Renyi entropy of order a > 1 on them. We address this latter notion 
in more detail in Section T3. 4. 21 
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Then, this is completed to a Rand 1-2 OT by means of privacy amplification 
(cf. Section ^. 5|) : S samples two functions /o and f\ from a two- universal class T 
of hash functions, sends them to R, and outputs So = fo(Xo) and S\ = fi(Xi), 
and R outputs Sc = fc(Xc)- Finally, the Rand 1-2 OT is transformed into an 
ordinary 1-2 OT in the obvious way. 

Correctness and receiver-security of this construction are clear, they follow 
immediately from 1. and 2. How easy or hard it is to prove sender-security 
depends heavily on the underlying primitive. In case of Rabin OT it is rather 
straightforward. In case of 1-2 XOT and the other weaker versions, this is non- 
trivial. The problem is that since R might know Xq © X\, it is not possible to 
argue that there exists d G {0, 1} such that R's uncertainty on X\^d is large 
when given Xj. This, though, would be necessary in order to finish the proof 
by simply applying the privacy amplification theorem (Corollary I2,27[) , This 
difficulty is overcome in [BC97, BCW03] by tailoring the proof to a particu- 
lar two-universal class of hash functions, namely the class of all linear hash 
functions. Whether the reduction also works for a less restricted class of hash 
functions is left in |BC97[ IBCW03] as an open problem, which we solve here as 
a side result. Using a smaller class of hash functions would allow for instance 
to reduce the communication complexity of the protocol. 

In [CS06j . the difficulty is overcome by giving up on the simplicity of the 
reduction. The cost of two-way communication allowing for interactive hashing 
is traded for better reduction parameters. We would like to emphasize that 
these parameters are incomparable to ours, because a different reduction is used, 
whereas our approach provides a better analysis of the common non-interactive 
reductions. 

The New Approach 

We argue that, independent of the underlying primitive, sender-security fol- 
lows as a simple consequence of Theorem I3.6( in combination with a simple 
observation regarding the composition of non-degenerate linear (respectively, 
more general, 2-balanced) functions with strongly two-universal hash functions, 
stated in Proposition 13.71 below. 

Recall Definition E23] of strong two- universality. A class T of hash functions 
from {0, l} n to {0, 1} is strongly two-universal, if for any distinct x, x' G {0, l} n 
the two random variables F(x) and F{x') are independent and uniformly dis- 
tributed over {0, lY, where the random variable F represents the random choice 
of a function in T . 

Proposition 3.7 Let T§ and T\ be two classes of strongly two-universal hash 
functions from {0, l} n ° respectively {0, l}™ 1 to {0, 1}^ , and let f3 : {0, lY x 
{0, 1}^ — > {0, 1} be a 2-balanced function. Consider the class T of all functions 
/:{0,irox{0,l}^ ^{0,1} withf(xo,x 1 )=p(f (xo)Ji(x 1 )) where f G F 
and fi G T\. Then, T is strongly two-universal. 5 

5 It is easy to see that the claim does not hold in general for ordinary (as opposed to 
strongly) two-universal classes: if no = m — £ and To and T\ both only contain the identity 
function id : {0, 1}* — > {0, 1}' and thus are two-universal, then T consisting of the function 
f(xo,Xi) — /3(id(xo),id(xi)) = /3(xq,xi) is not two-universal. 
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Proof: Fix distinct x = (xq,x\) and x' = (x^x^) in {0, l} n ° x {0, l} ni . As- 
sume without loss of generality that x\ ^ x' v Fix /o G and set so = fo(xo) 
and s' = fo(x' Q ). By assumption on T\, the random variables F\(x\) and 
.Fi(xi) are independent and uniformly distributed over {0,1}^, where F\ rep- 
resents the random choice for f\ G J-'i. By the assumption on j3, this implies 
that P(f o(xo), Fi(xi)) and P(fo(x' ), Fi(x' 1 )) are independent and uniformly dis- 
tributed over {0, 1}. This holds no matter how /q is chosen, and thus proves 
the claim. □ 

Now, briefly, sender-security for a construction as sketched above can be 
argued as follows: The only restriction is that T needs to be strongly two- 
universal. From the independent repetitions of the underlying weak OT (Ra- 
bin OT, 1-2 XOT, 1-2 GOT or 1-2 UOT) it follows that R has "high" collision 
entropy in X. Hence, for any NDLF (5, we can apply the privacy-amplification 
Theorem 12.271 with the strongly two-universal hash function (3(fo(-), fi(-)) and 
argue that 0(fo(Xo), f\(X\)) is close to uniform for randomly chosen /o and 
f\. Sender-security then follows immediately from Theorem 13.61 

We save the quantitative analysis (Theorem I3.8[) for next section, where we 
consider a reduction of 1-2 OT to the weakest kind of OT: to one execution of 
a UOT. Based on this, we compare in Section 13.4.31 the quality of the analysis 
of the above reductions based on Theorem 13.61 with the results in [BCW03J. It 
turns out that our analysis is tighter for 1-2 GOT and 1-2 UOT, whereas the 
analysis in [BCW03J is tighter for 1-2 XOT; but in all cases, our analysis is 
much simpler and, we believe, more elegant. 

3.4.2 Reducing 1-2 OT e to One Execution of UOT 

In this section, we use the definition and some elementary properties of Renyi 
entropy introduced in Section 12.4.11 

Universal Oblivious Transfer 

Probably the weakest flavor of OT is the Universal OT (UOT) as it was intro- 
duced by Cachin in |Cac98j . in that it gives the receiver the most freedom in 
getting information on the string X. Formally, for a finite set X and parame- 
ters a > 1 (allowing a = oo) and r > 0, an (a, r)-UOT(X) works as follows: 
the sender inputs x £ X, and the receiver may choose an arbitrary conditional 
probability distribution Py\x with the only restriction that for a uniformly dis- 
tributed X it must satisfy H Q (X|y) > r. The receiver then gets as output y, 
sampled according to the distribution P Y \x('\x), whereas the sender gets no 
information on the receiver's choice for Py\x- Note that a 1-2 UOT is a limit 
case of this kind of !70T since "1-2 UOT = (1, 1)-UOT({0, l} 2 )". 

The crucial property of such an UOT is that the input is not restricted to 
two bits, but may be two bit-strings; this potentially allows to reduce 1-2 OT 
to one execution of a UOT, rather than to many independent executions of the 
same primitive as for the 1-2 flavors of OT mentioned above. Indeed, following 
the design principle discussed in Section 13.4.11 it is straightforward to come 
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up with a candidate protocol for 1-2 OT l which uses one execution of a (a,r)- 
UOT(X) with X = {0, l} n x {0, l} n . The protocol is given in Figure where 
J 7 is a strongly two-universal class of hash functions from {0, l} n to {0, 1}^. 



OT2UOT(c): 

1. S and R run (a, r)-UOT(<Y): S inputs a random x = (xq,xx) £ X = 
{0, l} n x {0, l} n , R inputs P Y \x with Py| X (x' c | (x' , x'J) = 1 for any 
(xq,x'^), and as a result R obtains y = x c . 

2. S samples independent random /o, /i G .T 7 , sends /o and /i to R, and 
outputs s = fo(xo) and s x = /i(xi). 

3. R computes and outputs s c = / c (y). 



Figure 3.3: Protocol OT2UOT for Randl-2 OT l . 

In |Cac98j it is claimed that, for appropriate parameters, protocol OT2UOT 
is a secure Rand 1-2 OT^, respectively, the resulting protocol for 1-2 OT is 
secure. However, we argue below that the proof given is not correct and it is 
not obvious how to fix it. In Theorem l3.8l we then show that its security follows 
easily from Theorem 13.61 

A Flaw in the Security Proof 

In [Cac98| the security of protocol OT2UOT is argued as follows. Using rather 
complicated spoiling-knowledge techniques, it is shown that, conditioned on the 
receiver's output (which we suppress to simplify the notation) at least one out 
of H 00 (A 7 'o) and H 00 (Xi|Xo = xq) is "large" (for any x$), and, similarly, at 
least one out of H OCJ (Xi) and H 00 (Xo|Xi = xi). Since collision entropy is lower 
bounded by min-entropy, it then follows from the privacy amplification theorem 
that at least one out of H(Fq(Xo)\Fq) and H(Fi(Xi)\Fi, Xq = xo) is close to £, 
and similarly, one out of K(Fi(Xi)\Fi) and H(Fq(Xq)\Fq, X\ = xi) . It is then 
claimed that this proves OT2UOT secure. 

We argue that this very last implication is not correct. Indeed, what is 
proven about the entropy of Fq(Xq) and Fi(Xi) does not exclude the possibility 
that both entropies H(Fq(Xq)\Fq) and H(i ? i(Ai)|i ? i) are maximal, but that 
H(F (A ) © Fi(A"i)|Fo,Fi) = 0. This would allow the receiver to learn the bit 
wise XOR So® Si, which is clearly forbidden by the condition of sender-security. 

Also note that the proof does not use the fact that the two functions Fq 
and F\ are chosen independently. However, if they are chosen to be the same, 
then the protocol is clearly insecure: if the receiver asks for Y = Xq © X±, and 
if J 7 is a class of linear two- universal hash functions, then R obviously learns 

So ©Si. 
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Reducing 1-2 OT e to UOT 

The following theorem guarantees the security of 0T2U0T for an appropriate 
choice of the parameters. The only restriction we have to make is that T needs 
to be a strongly two-universal class of hash function. 

Theorem 3.8 Let T be a strongly two-universal class of hash functions from 
{0, l} n to {0, l} e . Then OT2UOT reduces a 2~ K -secure Rand 1-2 OT 1 to a per- 
fect (2, r)-UOT({0, l} 2n ) with n>r>4£ + 2« + l. 

Using the bounds from Lemma [2 .91 on the different orders of Renyi entropy, the 
reducibility of 1-2 OT 1 to (a,r)-UOT(X) follows immediately for any a > 1. 

Informally, sender-security of the protocol OT2UOT is argued as for the re- 
duction of 1-2 OT to Rabin OT, 1-2 XOT etc., discussed in Section [3.4,l[ simply 
by using Proposition 13.71 in combination with the privacy amplification Theo- 
rem 12.271 an d applying Theorem l3.6[ The formal proof given below additionally 
keeps track of the error term. 

From this proof it also becomes clear that the exponential (in £) overhead 
in Theorem [32] is unavoidable. Indeed, a sub-exponential overhead would allow 
I in Theorem 13.81 to be super-linear in n, which of course is nonsense. 

Proof: By the definition of conditional collision entropy, we have that for all y, 
H2(X|y = y) > r > 4£ + 2k + 1. Fix an arbitrary y and consider any NDLF 
(3 : {0, 1} £ x {0,1}^ — > {0,1}. Let F and Fi be the random variables that 
represent the random choices of /o and fi, and set B = (3(Fq(Xq), F\(Xi)). 
In combination with Proposition 13.71 privacy amplification (Corollary 12.27ft 
guarantees that 

X(p p p \ <r 9- = (H 2 pf|y=y)+l) 9 -i(4M-2 K +2) _ -2£-K-l 

d {FBF F 1 \Y=y,- t \jmFF FoFl \Y=y) < 2 2 ^ ><2 2V >_i 

It now follows that 

^(•Pj3(So,Si)W>AjNIF " Pw) = S^PbFqF^, -f\jNIF Pf F x y) 

= Y, 5 ( P BFoF 1 \Y=y,PvmFP Fo F 1 \Y=y)PY(y) < 2~ K /2 2£+1 . 

y 

Sender-security as claimed now follows from Theorem 13.61 □ 

The min-entropy splitting Lemma f2.15l and a larger (not necessarily strongly) 
two-universal class of hash functions can alternatively be used to show the secu- 
rity of the reduction protocol OT2UOT without the use of NDLFs. We do this 
here for illustration purposes because the same technique is used in the security 
proof of 1-2 OT in the bounded-quantum-storage model in Chapter [6l After 
the execution of a perfect (oo, r)-UOT({0, l} 2n ), we have H oo (X Xi|y) > r 
and Lemma [2.151 yields the existence of a random variable D G {0, 1} such that 
B. OQ {Xi^ D D\Y) > r/2 and therefore also B. OQ {Xi^ D DS D \Y) > r/2. By the 
chain rule (Lemma l2.12p and setting e := 2~ K ~ 1 , we get H^Xi-dIDSdY) > 
r/2 — 1 — t — k — 1. Hence to get a 2 _K -secure Rand 1-2 OT 1 via the privacy am- 
plification theorem (Corollarv l2.25p . we need r/2 — £ — n — 2 > 2k + £ which gives 
slightly worse parameters than in Theorem 13. 8[ namely n > r > 4£ + 4k + 4. 
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3.4.3 Quantitative Comparisons To Related Work 

Subsequent to [DFSS06] , Wullschleger improved the min-entropy splitting tech- 
nique described in the last paragraph. In [WU107] , it is shown that the protocol 
OT2UOT reduces a 2" K -secure Rand 1-2 OT l to a perfect (oo, r)-UOT({0, l} 2n ) 
if n > r > 2£ + 6k + 61og(3). So, Rand 1-2 OT^ of strings of length £ roughly 
half of the receivers min-entropy r can be obtained, which is asymptotically op- 
timal for this reduction-protocol. Technically, the result is essentially obtained 
by using the min-entropy splitting approach sketched at the end of last section 
and a more careful case distinction. The random variable D £ {0, 1} pointing 
to the "known" string Xd is basically defined as in Lemma 12.151 but for the 
case when both Xq,X\ have high min-entropy, a new distributed left-over hash 
lemma is used to show that both So and Si are close to uniform and therefore 
close to independent (and hence, the pointer D can be chosen arbitrarily in this 
case) . 

In the following, we compare the simple reduction of 1-2 OT^ ton executions 
of 1-2 XOT, 1-2 GOT and 1-2 UOT, respectively, using our analysis based on 
Theorem 13.61 together with the quantitative statement given in Theorem 13.81 
with the results achieved in [BCW03] . 6 The quality of the analysis of a reduction 
is given by the reduction parameters c\ en , c sec and c con st such that the 1-2 OT l 
is guaranteed to be 2 _K -secure as long as n > q en • £ + c sec • k + c con st- The 
smaller these constants are, the better is the analysis of the reduction. The 
comparison of these parameters is given in Figure [3~41 We focus on c\ en and c sec 
since c con st is not really relevant, unless very large. 
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Figure 3.4: Comparison of the reduction parameters. 



The parameters in the first line can easily be extracted from Theorems 5, 7 
and 9 of [BCW03], where in Theorem 9 p e ~ 0.19. The parameters in the 
second line corresponding to the reduction to 1-2 XOT follow immediately from 
Theorem 13. 8} using the fact that in one execution of a 1-2 XOT, the receiver's 
conditional collision entropy on the sender's two input bits is at least 1. 

Determining the parameters of the reductions to 1-2 GOT and 1-2 UOT 
requires a little more work. We first determine the average conditional min- 
entropy H 00 (X|y) of one instance of 1-2 GOT and 1-2 UOT. In the case of 
1-2 GOT, Hoo(X|y) can easily be seen to be at least 1 (for example by in- 

6 As mentioned earlier, these results are incomparable to the parameters achieved in |CS06j . 
where interactive reductions are used. 
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spection of Table 2 in [BCW03] ). For one execution of 1-2 UOT, the receiver's 
average Shannon entropy is at least 1. Therefore, it follows from Fano's In- 
equality (Lemma I2.1ip that his average guessing probability is at most 1 — p e 
with p e ~ 0.19 as above, and thus his average conditional min-entropy is at 
least — log(l — p e ) w 0.3. 

We use Lemma 12.81 to lower bound the (regular) conditional min-entropy 
H oc (X|y = y) except with probability 2~ K_1 and use Theorem l3.8l with security 
parameter 2~ K ~ 1 which together yields a 2~ K secure Rand 1-2 OT 1 . To apply 
Theorem EH1 we require B. 2 {X\Y = y) > B.oo(X\Y = y) > U + 2k + 3 and to 
obtain this by Lemma [231 we need Ho^X |Y) > U + 3k + 4. 

This yields c\ en = 4, c sec = 3 for 1-2 GOT and c\ en 4/0.3 and c sec 3/0.3 
for 1-2 UOT. The derivation of the parameters for |Wul07j is analogous. 

3.5 Extension to 1-n OT 1 

In this section we extend our characterization of sender-security of Rand 1-2 OT 
to Rand 1-n OT. We use the following notation. For a sequence of random 
variables So, Si, ... , 5 n _i and indices i, j G {0, . . . , n — 1}, we denote by S{j the 
sequence of variables {Sk ■ k € {0, . . . , n — 1} \ {i, j}} with all indices except i 
and j. Similarly, Si denotes all variables but the ith. 

Definition 3.9 (Rand 1-n OT 1 ) A n e-secure Rand 1-n OT is a protocol be- 
tween S and R, with R having input C G {0, 1, . . . , n — 1} (while S has no input), 
such that for any distribution of C , the following properties hold: 

e-Correctness: For honest S and R, S has output Sq, Si, . . . , S n -\ G {0,1}^ 
and R outputs Sc, except with probability e. 

e-Receiver-security: // R is honest then for any (possibly dishonest) S with 
output V, 

5{P cv ,Pc-Pv) <e. 

e-Sender-security: If S is honest then for any (possibly dishonest) R with 
output W , there exists a random variable D with range {0, 1, . . . ,n — 1} 
such that 



Analogous to the 1-2 OT-case we want for sender-security that there exists a 
choice D, such that when given the corresponding string (or bit) So all the 
other strings (or bits) look completely random from R's point of view. 

Recall that for the characterization of sender-security in the case of 1-2 OT, 
it is sufficient that P/3(s ,Si)W = -Ptjnif ■ P\v for every NDLF (3. In a first 
attempt one might try to characterize the sender-security of 1-n OT using linear 
functions f3 that non-trivially depend on n arguments. In the case of 1-3 OT of 
bits, the only linear function of this kind is the XOR of the three bits, but it 
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can be easily verified that the requirement that Bo © B\ © B2 is uniform does 
not imply sender-security in the sense defined above. Instead, as we will see 
below, sufficient requirements are that the XOR of every pair of bits is uniform 
when given the value of the third. 

Theorem 3.10 The condition for e -sender- security for a Rand 1-n OT e is sat- 
isfied for a particular (possibly dishonest) receiver R with output W, if for all 
i^je {0,...,n-l} 

6 ( P /3(S l ,S j )WS-^ P ™lF ■ P WS~) ^ v 
for every NDLF (3, where v = e/(2 2i n(n — 1)). 
Proof: We first consider and prove the perfect case. 

The Perfect Case: Like in the proof of Theorem 13.61 we fix an out- 
put w of the receiver and consider the non-normalized probability distribu- 
tion Ps ...s n -!w(', ■■■ j ■,«')■ We use the variable Ps ,...,s„-i to refer to the value 
Ps ...S n -iw(so, ■ ■ • j s n -i,w) and o for the all-zero string (0, . . . , 0) G {0, 1} £ . We 
use bold font to denote a collection of strings s := (sq,s\, . . . , s n _i) G {0, 1} , 
and we write sj for (so, ... , Si+i, • • • , s n -±), the collection s without Sj. Fi- 
nally, for a collection t = (to, ■■■ , ifc-i) G {0, l} ik of arbitrary size fc, we define 
sets of indices with one (respectively two) non-zero substrings: 

Si{t) := {(o, . . . , o, t i} o, . . . , o) : i G {0, . . . , k - 1}} 

5 2 (t) := {(o, ... ,o,ti,o, ... ,o,tj,o, . . . ,0) : i < j £ {0, . . . , k - 1}} 

where the t{ (and tj) are at ith. (and jth) position. As in the proof of Theo- 
rem [3l)J we assume for the clarity of exposition that for all % G {0, . . . ,n — 1} 
and si G {0, l} e , it holds that p ,..., < Po,...,o,Si,o,...,o (where s, is at position i). 
For symmetry reasons, the general case can be handled along the same lines. 

We extend the distribution Ps ...s n -iV/{'i ■••>•> w ) similarly to (|3.ip : for 
every s G {0, l} fa , we set 

-P5 ...S„_iDTy('S0 5 ■ ■ ■ j s n -i,0,w) := p S0) o,..., O) 
Ps ...S n -iDw(so, ■ ■ S n -1, l,w) := Po,si,o,...,o ~ Po,...,o, 

Ps ...s n -iDw(so, s n -i,n - 2, w) := p 0) ...,s„_2,o - Po,...,o, 
Ps ...S n -iDw(so,---,s n -i,n- l,w) := Po,...,o,* n -i -Po,..,o- 

In order to show that this is a valid extension, we have to show that for every 
s G {0, l} £n 

Ps= y~] Pt~ (n - l)p ,...,o- (3.5) 

teSi(s) 

If this holds, then the random variable D is well defined, and the Sjj are uni- 
formly distributed given D,Sd and W. 
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We now show that (|3.5p follows from the assumed uniformity property that 
Pp(g. s )w\S~- = ^UNIF " Pw\s~^~~ ^ or ever y non-degenerate linear function 



(3 and any i f 1 j. This is done by induction on n. The case n = 2 is covered by 
the proof of Theorem 13. <j\ and by induction assumption we may assume that 
it also holds for n — 1. Let us fix some s S {0, l} £n and i G {0, . . . , n — 1}. It 
is easy to see that the assumed uniformity property on So, ... , S n _i, W implies 
the corresponding uniformity property on Si, W when conditioning on Sj = Si, 
and therefore, by induction assumption and "multiplying out the conditioning", 



Ps 



J^Pt - (" - 2)p ,...,o, Sl ;,o,...,o • (3.6) 



where the sum is over all t G {0, l} fa with ti = Si and tj 6 Si(sj). Summing all 
the equations over i £ {0, . . . , n — 1} yields 

n • p s = 2 53 p t - (n - 2) } ] p t . (3.7) 

teS 2 (s) teSi(s) 

By a similar reasoning we can also derive from the case n = 2 that equations 
of type (13. 2p hold conditioned on the event that all but two of the Sj's are zero. 
More formally, we have that for all i < j G {0, . . . , n — 1}, 

Po,...,o,Si,o ) ...,o,Sj,o,...,o — Po,...,o,Sj,o,...,o Po,...,o,Sj i,o,...,o Po,...,o- v^'") 

Summing these equations over all i < j £ {0, . . . , n — 1} yields 

Pt = (n - 1) 53 Pt ~ (f)Po,.,o (3.9) 

teS 2 (s) te<Si(s) ^ ' 

We conclude by substituting (13. 9h into (|3.7|) as follows 

n ■ p s = 2 53 p t - (n - 2) 53 p t 

te5 2 (s) te5i(s) 

= 2 (n- 1) p t - (f} Po ,...,o ] - (n - 2) jh 

= " 5Z Pt ~~ n ( n ~~ 1 )P°v,o, 
te5i(s) 



which is equation (13. 5p after dividing by n, and thus finishes the induction step 
and the claim for e = 0. 



The General Case: For the non-zero error case, we follow the above argu- 
ment, but keep track of the error. For technical reasons, we assume that the Sj's 
are independent and uniformly distributed, and we assume that the assumed 
uniformity property with respect to NDLFs holds conditioned on Sij = sTJ for 
any s~, not just on average, i.e., ^(P^s^^—, P VNW ■ P w ^- = —) < v 
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for any Sjj E {0, l} i( - n 2 \ We show at the end of the proof how to argue in 
general. Write 

^ s = I E P* ~ ( n ~ l )Po,-,o - Pa i 
te5i(s) 

such that ()3.5p holds up to the error 6 S . Note that <5 S depends on w; we also 
write 5 s (w) to make this dependency explicit. We will argue, following the 
induction proof, that 

5^<5 B M <n{n-l)-2 2i -v = e. 

w,s 

The proof can then be completed analogue to the proof of Theorem 13.61 by 
"correcting" the values for Ps ...s„- 1 dw's appropriately. 

By the proof of Theorem 13.61 the claimed inequality holds in case n = 2. 
For the induction step, note that by induction assumption, (|3.6p holds up to 
5 S r(w)P Si (s i ) where 

%W <(n-l){n-2)-2 2£ -v. 

W,Si 

Furthermore, from the case n = 2 it follows that Equation (|3.8f) holds up to 
5 SitSj (w)Pg-(o • • • o), where 

W,Si,Sj 

and, by the additional assumption posed on the S^'s, Pg- (o- • • o) = 2~( n ~ 2 ^. 
It follows that ()3.5p holds up to 

** = I (E (^) + 2 E • • • °)) 

i i<j 

such that 

E^h = ^(EE%hE^(^)+ 2 EE E 

ui,s j «;,si Sj i<j Sij w,Si,Sj 

< ( n _ i)( n _ 2 ) • 2 2e • !/ + (n - 1) • 2<"- 2 > £ • 2 2m • 2-(™- 2 ) £ • i/ 

= ((n - l)(n - 2) • 2 2£ + 2 • (n - 1) • 2 2£ ) • i/ 

<n(n-l)-2 2 ^-i/ = e. 

It remains to argue the case where the S^s are not independent uniformly 
distributed and/or the assumed uniformity property holds only on average over 
the sJJ's. We first argue that we may indeed assume without loss of generality 
that the S^s are random: We consider So, . . . , S n -i, W defined as Si = Si © Ri 
and W = [W, Ro, . . . , R n -\] for independent and uniformly distributed R^s in 
{0, 1} £ . It is easy to see that the assumed uniformity condition with respect to 
NDLFs on So, . . . , S n —i, W implies the corresponding uniformity condition on 
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So, ... , S n -i, W with the same "error" i/, and it is obvious that the Si's are inde- 
pendent and uniformly distributed. Furthermore, it is easy to see that e-sender- 
security for So, ... , S n _i, W implies e-sender-security for So, ... , S n _i, W with 
the same e. Thus it suffices to prove the claim for the case of random Si's. 

Finally, in order to reason that we may assume that the uniformity property 
holds conditioned on every sH, where we now may already assume that the Si's 
are random due to the above observation, we again consider So, . . . ,S n -i,W 
defined as above. It is not hard to verify that due to this randomization and 
since the Si's are random, the average near-uniformity of f3(S{,Sj) translates 
to a "worst-case" near-uniformity of /?(Sj,Sj) with the same v. □ 



3.6 1-2 OT in a Quantum Setting 

As briefly mentioned in the introductory Section 13. H the results of this chapter 
were originally motivated by the idea of using them to prove sender-security 
in the bounded-quantum-storage model of the 1-2 OT-protocol presented later 
in Chapter [U For this protocol, we can use a quantum uncertainty relation to 
show a lower bound on the min-entropy of the n-bit string X transmitted by 
the sender using a quantum encoding. 

If we had a quantum version of Theorem 13.61 at hand, we could use privacy 
amplification against quantum adversaries (Theorem 12.250 to prove sender- 
security against quantum- memory-bounded receivers. Unfortunately, the ex- 
ample below shows that such a quantum version of Theorem 13.61 cannot exist. 

In the case of a dishonest quantum receiver R, the final state of a quantum 
protocol for Rand 1-2 OT is given by the ccq-state j0g SlR - The condition for 
e-sender-security given in Definition 16.11 requires the existence of a random 
variable D £ {0, 1} such that 

s (ps 1 - d s d dr> 1 ®Ps d dr) < e - 

This coincides with the classical Definition 13.11 except that the dishonest re- 
ceiver's output is a quantum state, and closeness is measured in terms of the 
trace-norm distance. 

A quantum analogue of Theorem 13.61 would state that this condition is 
fulfilled if for every NDLF /3, 

s (Pp(So,Si)fi> 1 ® - £ ' 

where e' is comparable to the classical parameter e/2 +1 . 

Consider now the following example for 1-2 OT of bits Bq,B\. We define 
the ccq-state p B Bi r as follows: Let 

Pb oBi r ■= 7 (looxool ® |0)<0| + |11)(11| |1)(1| 



4 

+|01)(01| (8) |+)(+| + 1 10X10| (8) |-x- 1), 



|0)+|1) 



where |+)(+| and |— )(— | are the projectors onto the states |+) := |0) x = 1 '■ ^ 



and|-):=|l) x = Ml. 
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For this state, it is clear that the XOR Bq © B\ is perfectly hidden from the 
dishonest receiver holding ps, i.e. 

On the other hand, R can determine the bit of his choice by measuring in the 
Breitbart basis {cos(vr/8)|0) + sin(vr/8)|l), sin(vr/8)|0) - cos(vr/8)|l)} if he is 
interested in the first bit, or by measuring in the Breitbart basis rotated by 
45 degrees if he wants to obtain the second bit. It is easy to see that such a 
measurement succeeds in yielding the correct bit with probability cos(7r/8) 2 « 
0.85. This precludes the existence of a pointer variable D 6 {0, 1} such that 
perfect sender-security in the sense of Definition 16.11 holds. 

It is unclear how that difficulty can be overcome, but it is clear from the 
simple example above, that a statement like in Theorem 13.61 with comparable 
parameters cannot hold. Therefore, the alternative approach via the entropy- 
splitting Lemma 12.151 (outlined at the end of Section I3.4.2H will be taken in 
Chapter to show sender-security. 



Chapter 4 

Quantum Uncertainty 
Relations 



Quantum uncertainty relations are the fundamental tool for the security anal- 
ysis of protocols in the bonded-quantum-storage model presented later in this 
thesis. We start off with some preliminary tools in Section 14.11 and proceed to 
the history of uncertainty relations in Section 14.21 Then, we derive new high- 
order entropic uncertainty relations for two (Section [33]) and more (Section l4.4p 
mutually unbiased bases. In the last Section 14.51 we investigate the situation 
where for each qubit, a basis is picked independently at random from a set of 
bases. 

The results in this chapter are based on joint work with Damgard, Fehr, 



Salvail and Renner which appeared in [DFSS08], |DFR + Q7 



4.1 Preliminaries 

4.1.1 Operators and Norms 

For a linear operator A on the complex Hilbert space Ti, we define the operator 
norm 

\\A\\ := sup \\Ax\\ 

(a\x)=l 



for the Euclidian norm ||x|| : = \J (x\x) of the vector \x) 6 7i. When A is 
Hermitian, i.e. the complex conjugate transpose H* and H coincide, we have 

||^4|| = <^max(^.) : = max{|Aj| : Xj an eigenvalue of ^4}. 

From an equivalent definition of the norm ||yl|| = sup |(y|^4|rr)|, it is easy 

{y\y)={x\ x ) =1 

to see that ||^4*|| = For two Hermitian matrices A and B, we have that 

||yl-B|| = || (AS)* || = ||i3*74*|| = [|jByl||. The operator norm is unitarily invari- 
ant, i.e. for all unitary U, V, \\A\\ = \\UAV\\ holds. It is easy to show that 

max{||A||,|LB||}. 







(o 
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Lemma 4.1 Let X, Y be any two n x n matrices such that the products XY 
and YX are Hermitian. Then, we have 



\XY\ 



\YX\ 



Proof: For any two n x n matrices X and Y, XY and YX have the same 
eigenvalues, see e.g. [Bha971 Exercise 1.3.7]. Therefore, ||AY|| = A max (XY) = 
X max (YX) = \\YX\\. □ 

A linear operator P such that P 2 = P and P* = P is called an orthogonal 
projector. 

Proposition 4.2 Let A and B be two orthogonal projectors. Then it holds that 
\\A + B\\ < 1 + \\AB\\. 

Proof: We adapt a technique by Kittaneh [Kit97] to our case. Define two 
2 x 2-block matrices X and Y as follows 



X 



A B 




and Y :- 



A 
B 



Using A 2 = A and B 2 = B, we compute 



XY 



A + B 




and YX 



A 


AB\ 




°) 


\BA 


B I 


= r 

vo 


B 



+ 



AB\ 
BA J 



As A and B are Hermitian, so are A + B, AB, BA, XY and YX as well. We 
use Lemma 14.11 and the triangle inequality to obtain 



A + B 




A AB 
BA B 



< 



A 
B 



+ 



AB 
BA 



Using the unitary invariance of the operator norm to permute the columns in the 
rightmost matrix and the facts that \\A\\ = \\B\\ = 1 as well as ||AB|| = 
we conclude that 

P + < 1 + ||AB||. 

□ 

A nice feature of this block-matrix technique is that it generalizes easily to 
more projectors. 



Proposition 4.3 For orthogonal projectors Aq, A\,A%, ■ ■ ■ , am 

M 

5> 



Am, it holds that 



i=0 



< 1 + M ■ max \\AiAA 

0<i<j<M 



(4.1) 



Proof: Defining 



X 



(Ao A l 


V 




o J 



and Y 



fA 
A 1 

\A M 



0\ 


0/ 
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yields 



/A + Ai + . . . + A 



XY 



M 












V 

AiAq 





A Ai 

A! 



and 



••• 0/ 

A Aa/\ 
A\Am 

A m J 



The matrix FX can be additively decomposed into M + 1 matrices according 
to the following pattern 



FX 



\ 



V 



+ 



7 



/0 * 




V* 



\ 



0/ 



+ 



+ 



V 



0/ 



where the asterisk stand for entries of YX and for i = 0, . . . , M the ith asterisk- 
pattern after the diagonal pattern is obtained by i cyclic shifts of the columns 
of the diagonal pattern. Entries without asterisk are zero. 

As in the proof of Proposition 14.21 an d YX are Hermitian and we use 
Lemma [4.1l the triangle inequality, the unitary invariance of the operator norm 
and the facts that for all i ^ j : \\Ai\\ = 1, = ||AjAj|| to obtain the 

desired statement (|4.ip . □ 



4.1.2 Azuma's Inequality 

As we will exclusively use the concentration result at the end of this section, we 
only give an informal definition of martingales. We refer to [ASQO] or |MP95| 
for a more detailed treatment. 

Definition 4.4 A sequence of real random variables Xq,Xi, ... is a martingale 
sequence, if for all i = 1,2, ... , it holds EpQ|Xo, . . . , = Xi—±. 



Theorem 4.5 (Azuma's inequality |Azu67| ) Let Xq, X±, . . . be a martin- 
gale sequence such that for each k, \X^ — A^_i| < c\~, where c^ may depend on 
k. Then, for all t > and any r > 0, 



Pr[X t -X >t]< exp 



2E 



' r 2 
k=l c k. 



The theorem is often stated as two-sided bound with absolute values: 

^2 \ 



Pr |X t -X | > r < 2 exp 



T 



but the one-sided version fits our purposes better. 
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Definition 4.6 A sequence of real-valued random variables R±, . . . , R n is called 
a martingale difference sequence if for every i and every n , . . . , TV-l G K: 
E[R i \R 1 =r l ,...,R i _ 1 =r i _ l }=0. 

Note that for an arbitrary sequence of real random variables So,Si,... 6 M, 
denning R n := X^Li IEfS",^ S' 2 ^ 1 ] (with Rq := 0) yields a martingale difference 

sequence Rq, Ri, 

The following lemma follows directly from Azuma's Theorem 14.51 

Corollary 4.7 Let R±, . . . , R n be a martingale difference sequence such that 
\Ri\ < c for every 1 < i < n. Then, for any A > 0, 



Pr 



^ i?i > An 



, X 2 n, 



Proof: Set r := An, Xq := 0, and for n > 1, X n := Ya=i ^ m Theorem 14. 51 □ 
4.1.3 Mathematical Tools 

The following two purely analytical lemmas will be used to bound some error 
terms. 

Lemma 4.8 For any < x < 1/e such that y : = xlog(l/:r) < 1/4, it holds 
that x > 41og(l/2/) • 

Proof: Define the function x t— > f(x) = xlog(l/:r). It holds that f'(x) = 
■^f(x) = log(l/a;)— loge, which shows that / is bijective in the interval (0, 1/e), 
and thus the inverse function / (y) is well defined for y £ (0, log(e)/e), which 
contains the interval (0,1/4). We are going to show that / _1 (y) > g{y) for 
all y G (0,1/4), where g(y) = 41og | 1/y) - Since both and g{y) converge 

to for y —> 0, it suffices to show that ^/ _1 (y) > J^y(y); respectively, we 
will compare their reciprocals. For any x £ (0, 1/e) such that y = f(x) = 
zlog(l/x) < 1/4 

d \ , : = f{r\y)) = log(l/x) - log(e) 



and 



such that 



d n _ If 1 1 
dy 5(yj "4Vlog(l/y) + ln(2)log(l/y)2 



4 m(2)log(l/y) 2 =4 log(l/y) 



-^(y) ln(2)log(l/y) + l 1 + ^)4^) 
>21ogfi N ) =21og / ' 



vy/ \j;log(l/x) 
2(log(l/x)-loglog(l/x)) 
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where for the inequality we are using that y < 1/4 so that ln(2) log(l/y) > 
21n(2) = ln(4) > 1. Defining the function 

h(z) := z — 2 log(z) + log(e) 

and showing that h(z) > for all z > finishes the proof, as then 

< h(\og(l/x)) < -jl 3—^ 

which was to be shown. For this last claim, note that h{z) — > oo for z — > 
and for z — > oo, and thus the global minimum is at zq with h'(zo) = 0. h'(z) = 
1 — 2/(ln(2)z) and thus zq = 2/ ln(2) = 2 log(e), and hence the minimum of h(z) 
equals h(zo) = 31og(e) — 2 log (21og(e)), which turns out to be positive. □ 

Lemma 4.9 For any < x < 1/4, it holds that exp(— 32 (2-iog(a)) lj ) < 2 _x4 / 32 . 

2 log(e) x 2 

Proof: Note that exp(- 32(2 „? og(x) p ) = 2 32 (2-iog(^)) 2 . Therefore, it suffices 

to show that x 4 < ( 2 _io g (x)) : - ! or ec l u i va l en tly that the function x \— > /(x) : = 
x 2 (2 — log(x)) 2 is smaller than 1 for < x < 1/4. It holds that /(0) = and 
/(1/4) = 1 and it is easy to see that / is a continuous increasing function, e.g. 
by verifying that for the first derivative 

d -f(x) = 2x (2 - log(x)) (2 - log(x) - - — tttt ] > 



dx JK ' K toV /y V ln ( 2 ), 
holds for < x < 1/4. □ 



4.2 History and Previous Work 
4.2.1 Mutually Unbiased Bases 

Definition 4.10 (Mutually Unbiased Bases (MUBs)) Two orthonormal 
bases B° : = {\cii)}fLi an( ^ '■ = {|kj)}jLi °f the complex Hilbert space TLn 
of dimension N := 2 n are called mutually unbiased if 



^i,je{l,...,N}:\(a i \b j )\ = 




More B° \B X , . . . ,B M bases of this space TLn are called mutually unbiased, if 
every pair of them is mutually unbiased. 

Wiesner showed in 1970 in one of the first articles about quantum cryptog- 
raphy [Wie83j that there are at least m mutually unbiased bases in a Hilbert 
space of dimension 2( m-1 ) ! / 2 , Later, optimal constructions of N + 1 mutually 
unbiased bases in a Hilbert space of dimension N were shown by Ivanovic when 
N is prime [Ivo81J and by Wootters and Fields for N a prime power |WF89j 
(in particular, for N = 2 n in the case of n qubits). A nice construction based 
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on the stabilizer formalism can be found in the article by Lawrence, Brukner, 
and Zeilinger [LBZ02J. It turned out to be an intriguing question to determine 
the maximal number of mutually unbiased bases in other dimensions, already 
the case N = 6 is still open |Eng03| . 

For a density matrix p describing the state of n qubits, let Qp(-), Qp(-), ■ ■ ■ , Qp^ 1 {■) 
be the probability distributions over n-bit strings when measuring p in bases 
B°, B 1 , . . . , B M , respectively. For instance, for basis B° = {|a,)}^ 1 and basis 
B l {\bj)}^ =l , we have Q° p (i) = (ai\p\a,i) and Q l p {j) = (bj\p\bj). We leave out the 
state p in the subscript when it is clear from the context. 

4.2.2 Uncertainty Relations Using Shannon Entropy 

The history of uncertainty relations starts with Heisenberg who showed that the 
outcomes of two non-commuting observables applied to a quantum state are not 
easy to predict simultaneously |Hei27j . However, Heisenberg only speaks about 
the variance of the measurement results, and his result was shown to have 
several shortcomings by Deutsch [Deu83j and Hilgevood and Uffink [HU88J. 
More general forms of uncertainty relations were proposed by Bialynicki-Birula 
and Mycielski in [BBM75J and by Deutsch |Deu83] to resolve these problems. 
The new relations were called entropic uncertainty relations, because they are 
expressed using Shannon entropy instead of the statistical variance. 
For mutually unbiased bases, Deutsch's relation reads 

H(Q°)+H(Q 1 )>-21ogi(l + - ? L). 

A much stronger bound was first conjectured by Kraus [Kra87j and later proved 
by Maassen and Uffink |MU88j 

H(Q°) + R(Q l ) > log N = n. (4.2) 

Intuitively, these bounds assure that if you know the outcome of measuring p 
in basis B° pretty well, you have large uncertainty when measuring in the other 
basis B . 

Note that for entropic bounds using Shannon entropy, it is sufficient to 
state them for pure states. They then automatically hold for mixed state by 
concavity. 

Lemma 4.11 IfH(Q? A +H(Q? > k holds for all pure states \tp) G TL, then 
H(Qp) + H(Qp) > k holds for all (possibly mixed) states p G V(TL). 

Proof: Let p = ^2 X ^xlfxXfxl the spectral composition of a mixed state. We 
then have for i = 0, 1 that Q p = A^Q^ v and therefore by concavity of the 
Shannon entropy (Lemma I2.10H 

H(QJ) + H(QJ) > ]T A, (H(Q°^) + H(Q^ } )) > k. 

X 



□ 
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Although a bound on Shannon entropy can be helpful in some cases, it is 
usually not good enough in cryptographic applications. The main tool to reduce 
the adversary's information — privacy amplification by two-universal hashing — 
requires a bound on the adversary's min-entropy (in fact collision entropy), see 
Section [231 As H(Q) > H a (Q) for a > 1, higher-order entropic bounds are 
generally weaker, but imply bounds for Shannon entropy as well. 

4.2.3 Higher-Order Entropic Uncertainty Relations 

Different results are known for complete sets of iV + 1 mutually unbiased bases 
of TCn- All of them are based on the following surprising geometrical result by 
Larsen. 

Theorem 4.12 ([L ar90j ) Let Q° p , . . . , Q 1 ^ be the N + 1 distributions obtained 
by measuring state p in mutually unbiased bases B°, . . . , B N of the Hilbert space 
7i at • Then, 

N 

^vr 2 (Qp = l + tr( /0 2 ), (4.3) 
i=0 

where 7r 2 (Q) = J2 X Q( X ) 2 denotes the collision probability of a distribution Q 
(cf. Definition\EM>- 

For a pure state p = \tp){ip\ , tr(/9 2 ) = 1 holds and the right hand side of (|4.3p 
equals 2. In this case, using that x i— > — log(x) is a convex function, Sanchez- 
Ruiz [San95j applies Jensen's inequality (Lemma 12. 2p to derive the following 
lower-bound on the sum of the collision entropies 

N N 

]TH 2 (Q*) = J>log(7r 2 (Q*)) 

i=0 i=0 

>_ {w+1)log (S^M^ (JV+1)log (^±i). 

Because of the lack of convexity of higher-order Renyi entropy, we cannot im- 
mediately extend an uncertainty relation for pure states to mixed states. On 
the other hand, the following lemma shows that uncertainty relations based on 
upper bounds of high-order probability sums for pure states also hold for mixed 
states and therefore translate to entropy lower bounds for mixed states. 

Lemma 4.13 Let a G (l,oo]. // Yli=o (^L) ) — c f or a ^ P ure states \tp), 
then for all mixed states p, 

M 

Y,Ra(Q p ) > (M + l)log 

i=0 

Equality holds for a state p for which ir a (Q p ) = M c +1 for all i. 



M+l 
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Proof: As x i— ► x a is convex for a > 1, 7r a (-) is a convex functional. Therefore, 
for a mixed state p = J2 X \c\<Px)(<Px\, w e have Q p = Y^ x ^Qj^) and 

M M M 

E^(* ^ EE woU>) < E A *E^k>) ^ c - 

i=0 i=0 a; x i=0 

Just as above follows by Jensen's inequality (Lemma 12. 2D that 

M M 

Eh q (QP = E- 1o sK(^)) 

i=0 i=0 

>_ ( M + l) 1 „ g (=%^)>(M + l) log ^ + 1 

Jensen's inequality is tight if the values ir a (Q p ) are all equal. □ 

For incomplete sets of bases B°,...,B M with 1 < M < iV, the current 
state-of-the-art bound was independently obtained by Damgard, Salvail and 
Pedersen [DPS04J and Azarchs |Aza04j by subtracting the minimal amount of 
collision probability (1/iV) in the bases not included in the sum: 

VVm< \<9 (iV+l-(M + l)) iV + M 
i=o 

By Lemma l4.13| this yields 

£H 2( «-,>(M + 1)1 „ g (ffi^). (4.5) 

As mentioned above, all lower bounds on the collision entropy from this 
section imply bounds on the Shannon entropy because H(Q) > H.2{Q), but do 
not tell us anything about the min-entropy H^Q). In the rest of this chapter, 
we derive entropic uncertainty relations involving min-entropy. 

Uncertainty relations in terms of Renyi entropy have also been studied in a 
different context by Bialynicki-Birula [BB06J. 



4.3 Two Mutually Unbiased Bases 

In this section, we consider the situation where a n-qubit state is measured in 
one out of two mutually unbiased bases of • Without loss of generality, we 
assume these two bases to be the n-fold tensor product of the computational 
basis +® n and of the diagonal basis x®", in this section simply called +- and 
x -basis. 

We show that two distributions obtained by measuring in two mutually un- 
biased bases cannot both be "very far from uniform" . One way to characterize 
non-uniformity of a distribution is to identify a subset of outcomes that has 
much higher probability than for a uniform choice. Intuitively, the theorem be- 
low says that such sets cannot be found simultaneously for both measurements. 
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Theorem 4.14 Let p be an arbitrary state ofn qubits, and let Q + (-) and Q x (•) 
be the respective distributions of the outcome when p is measured in the +-basis 
respectively the x -basis. Then, for any two sets L + C {0, 1}" and L x C {0, l} n 
it holds that 

Q + (L + ) + Q x (L x ) < l + 2- n / 2 ^X+p^j. 
Proof: We define the two orthogonal projectors 

A:= \ x )( x \ and B: = Yl H® n \y)(y\H® n . 

XGL+ y£L x 

Using the spectral decomposition of p = X w \ < Pw){ l Pw\> we have 
Q + (L+) + Q x (L x ) = tr (Ap) + tr (Bp) 

= /^w (tr (A\ip w )(<p w \) + tr (BI^X^D) 

w 

= A w ({(p w \A\(f w ) + {tp w \B\tp w )) 

w 

= \ w {ip w \(A + B)\ip w ) 

w 

< \\A + B\\ < 1 + \\AB\\, 

where the last line is Proposition 14.21 To conclude, we show that ||AB|| < 
2~ n / 2 ^\L+\\L x \. Note that an arbitrary state = Y, z ^H® n \z) can be 
expressed with coordinates \ z in the diagonal basis. Then, with the sums over 
x and y understood as over x G L + and y G L x , respectively, 



AB\ 



x,y 



\x){x\H 



H 



OS 1 1 



-n/2 



J2\x)(y\H® n \ 



x,y 



-n/2 



The second equality holds since (x\H® n \y) = 2~ n l 2 are mutually unbiased, 
the first inequality follows from Pythagoras and the triangle inequality, and 
the last inequality follows from Cauchy-Schwarz (Lemma 12 .3[) . This implies 
|| AB || < 2- n / 2 v / |L+||L x | and finishes the proof. □ 

This theorem yields a meaningful bound as long as |L + | • |L X | < 2™, for 
instance if L + and L x both contain less than 2 n l 2 elements. The relation is 
tight in the sense that for the Hadamard-invariant state 



\y) = (|O) 0n + (H\0))® n ) /^2(1 + 2W2) 

and L + = L x = {0 n }, it is straightforward to verify that Q + (L + ) = Q X (L X ) = 
(1 + 2~ n /2)/2 and therefore Q + (L + ) + Q X {L X ) = 1 + 2~ n / 2 . Another state 
that achieves equality (for n even) is \<p) = |O) 0n/2 ® (H\Q))® n / 2 with L + 



{0 



n/2 



G {0, l}™/ 2 } and L x = {xO n / 2 \x G {0, l} n / 2 }. We get that Q + {L+) 



Q X (L X ) = 1 and thus Q+(L+) + Q x (L x ) = 2 = l + 2- n / 2 V^. 

If for r G {+, x}, L r contains only the re-bit string with the maximal prob- 
ability of Q r , we obtain a known tight relation (see (9) in [MU88]). 
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Corollary 4.15 Let q^ andq^ be the maximal probabilities of the distributions 
Q + and Q x from above. It then holds that g+ + < 1 + c and therefore also 
Q^-Q^<1( 1 + c) 2 where c = 2~"/ 2 . 

Equality is achieved for the same state \ip) = (|O) 0n + (H\0))® n ) /y/2(l + 2~ n / 2 ) 
as above. 

Using Lemma 14.13} the following corollary is obtained. 

Corollary 4.16 For all quantum states p of n qubits, it holds that 

H 0O (Q+) + HooCQ?) > 2(1 - log(l + 2-"/ 2 )). 

There exists a quantum state achieving equality. 

The following corollary plays the crucial role in the security proofs of proto- 
cols in the bounded-quantum-storage model presented in the following chapters 
of this thesis. 

Corollary 4.17 Let R be a random variable over {+, x}, and let X be the 

outcome when p is measured in basis R, such that Px\r{ x V) = Q r (x). Then, 
for any A < ^ there exists k > and an event £ such that 

P[£\R = +] +P[£\R=x] > 1 - 2~ Kn 

and thus P[£] > \ — 2~ Kn in case R is uniform, and such that 

R 00 (X\R = r,£) > An 

for r G {+, x} with PR\g(r) > 0. 

Proof: Choose k > such that A + 2k < ^, and define 

5+ := {x e {0, l} n : Q + (x) < 2-( A+K )"} and 
S x := {z G {0,1}" : Q x {z) < 2-( A+K )"} 

to be the sets of strings with small probabilities and denote by L + : = S + 

and L x := S their complements 1 . Note that for all x G L + , we have that 

Q + {x) > 2~( A+K )" and therefore \L + \ < 2( A+K ) n . Analogously, we have \L X \ < 
2 (A+«)n_ For 

ease of notation, we abbreviate the probabilities that strings with 
small probabilities occur with q + := Q + (S + ) and q x := Q X (S X ). It follows 
immediately from the choice of k and Theorem 14.141 that 

q + + q x > 1 - 2~" /2 • 2 (A+K) " > 1 - 2~ Kn . 

We define £ to be the event X G S R . Then P[£\R = +] = P[X G S + \R = 
+] = q + and similarly P[£\R = x] = q x , and thus the first claim follows 
immediately. Furthermore, if R is uniformly distributed, then 

P[£] = P[£\R = +]P R (+) + P[£\R= x]P R {x) 

= \{q+ + q*)>\-2-™/2> l --2-™. 

1 Here's the mnemonic: S for the strings with Small probabilities, L for Large. 
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Regarding the second claim, in case R = +, we have 
R 00 (X\R =+,£) = -log ( max 

/ 2~ (A+«)n\ 
> — log - = \n + KU + log(</~ 



Thus, if q + > 2~ Kn then indeed R OQ {X\R = +,X G 5+) > An. The correspond- 
ing holds for the case R = x . 

Finally, if q + < 2~ Kn (or similarly q x < 2~ Kn ) then instead of the above, 
we define £ as the empty event if R = + and as the event X £ S x if R = x . 
It follows that P[£\R = +] = and = x] = q x > 1 - 2" Kn , as well as 

Hoo(X|i?= x,£) = R 00 (X\R=x,X G S x ) > An + ku + log(q x ) > An (for n 
large enough), both by the bound on q + + q x and on g + , whereas Pr\s(+) = 
0. □ 



4.4 More Mutually Unbiased Bases 

In this section, we generalize the uncertainty relation derived in Section 14.31 to 
more than two mutually unbiased bases. Such uncertainty relations over more 
than two, but not all mutually unbiased bases in terms of min-entropy may be 
of independent interest, see the discussion at the end of Section [431 

Theorem 4.18 Let the density matrix p describe the state of n qubits and let 
B°,B 1 ,...,B M be mutually unbiased bases ofHv>. Let Q°(-), Q 1 (•),•••, Q M {-) 
be the distributions of the outcome when p is measured in bases B^jB 1 , . . . ,B M , 
respectively. Then, for any sets L°, L 1 , . . . , L M C {0, l} n , it holds that 



y^QHV) < l + M-2- n/2 max JllSttljl 
^ v ' ~ 0<i<j<M V 1 11 1 

i=0 

Proof: Except of using Proposition 14 . 31 instead of Proposition 14. 2[ the proof is 
analogous to the one of Theorem 14.141 □ 

As in Corollary 14. 161 we derive an uncertainty relation about the sum of the 
min-entropies of up to 2 n / 2 distributions. 

Corollary 4.19 For an e > 0, let < M < 2^~ en . For i = 0,...,M, let 
Hoo(Q J ) be the min-entropies of the distributions Q l from the theorem above. 
Then, 

M 

HooCO*) > (M + 1) ( log(M + 1) - negl(n)) . 

Proof: For i = 0, . . . , M, we denote by q^ the maximal probability of Q % 
and let L % be the set containing only the n-bit string x with this maximal 
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probability q 1 ^. Theorem 14.181 together with the assumption about M assures 
Y^i^oQoo — 1 + negl(n). By Lemma f4. 131 follows 

M 

Hoo(^) > (M + 1) ( log(M + 1) - negl(n)) . 

□ 

4.5 Independent Bases for Each Subsystem 

So far, we have focused on the case of an n-qubit state p G V(H.2 n ) measured 
in two or more mutually unbiased bases of In this section, we investi- 

gate the case when each of the n qubits is measured in an individual basis, 
picked independently and uniformly from {+, x}, i.e. p is measured in basis 

e e R {+, x}". 

More generally, our result holds for a state p S TLf n of n quantum systems — 
each d-dimensional — which are measured in an individual basis, picked indepen- 
dently and uniformly from a set B of basis of TLd-, see Theorem 14.221 

4.5.1 A Classical Tool 

We start our derivation with a classical information-theoretic tool which itself 
might be of independent interest. 

Theorem 4.20 Let Zi,...,Z n be n random variables (not necessarily inde- 
pendent) over alphabet Z. If there exists a real number h > such that for all 
1 < i < n and z\, . . . , G Z: 

R(Z i \Z 1 = zi, . . . , Zi-i = Zj-x) > h, 

then for any < A < \ 

W 00 {Z 1 ,...,Z n ) > (h-2X)n, 
where £ = exp (- 321og ^| /A) . 

If the ZiS are independent and have Shannon entropy at least h, it is known (see 
Lemma [2.13|) that the smooth min-entropy of Z\, . . . , Z n is at least nh for large 
enough n. Informally, Theorem 14.201 guarantees that when the independence- 
condition is relaxed to a lower bound on the Shannon entropy of Z{ given any 
previous history, then we still have (almost) nh bits of min-entropy except with 
negligible probability e. 

The proof idea is to use Azuma's inequality in the form of Corollary 14.71 for 
cleverly chosen R^s. The main trick is that for a random variable Z over Z, 
we can define another random variable 5: = log Pz(Z) over M with expected 
value K[S] = Y^ze2^z(z) ■ log Pz(z) = H(Z) equal to the Shannon entropy 
of Z, which allows us to make the connection with the assumption about the 
Shannon entropy. 
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Proof: Recall that the superscript means Z % := (Z\, . . . , Z{) for any i E {1, . . . , n}, 
and similarly for other sequences. We want to show that 

Pr [P Z n(Z n ) > 2-( ft - 2A ) n ] < £ 

for e as claimed in Theorem 14.201 This means that P Z n(z n ) is smaller than 
2-(ft— 2A)n exce pt w itfi probability at most e (over the choice of z n ), and therefore 
implies the claim H^ Q {Z n ) > (h — 2A)n by the definition of smooth min-entropy 
from Section [2X21 Note that P z ^(Z n ) > 2-( h - 2X ) n is equivalent to 

n 

( lo S [Pz^mZ 1 - 1 )) +h)> 2An (4.6) 

i=l 

which is of suitable form to apply Azuma's inequality (Corollary I4.7p . 

Consider first an arbitrary sequence S\ , . . . , S n of real- valued random vari- 
ables. We assume the Si's to be either all positive or all negative. Define a new 
sequence R%, . . . , R n of random variables by putting Ri := Si — E[Sj|S 1-1 ]. It 
is straightforward to verify that E[i?j|i? 4-1 ] = 0, i.e., R±, . . . ,R n forms a mar- 
tingale difference sequence. Thus if for any i, \Si\ < c for some c, and thus 
\Ri\ < c, Azuma's inequality guarantees that 



Pr 



n 



i=l 



J^iSi-^iSilS'- 1 ]) > An 



We now put Si := logP z .\ Z i-i (Zj|Z l_1 ) for i = 1, . . . , n. Note that Si, . . . , S n < 
0. It is easy to see that the bound on the conditional entropy of Z% from 
Theorem 14.201 implies that E[Si|S* _1 ] < —h. Indeed, for any E Z t ~ 1 , we 
have M[log Pz.^i-iiZilZ 1 - 1 )^' 1 = z^ 1 } = - H(Z i |Z i " 1 = z^" 1 ) < -h, and 
thus for any subset £ of Z l ~ l , and in particular for the set of z l ~ s which map 
to a given it holds that 



ElSilZ^eS] = J2 Pzi-^zi-ies^' 1 ) ^[log P^zi-iiZilZ^Z 

<-h. (4.8) 

As a consequence, the bound on the probability of (|4.7p in particular bounds 
the probability of the event (|4.6p . even with An instead of 2An. A problem 
though is that we have no upper bound c on the |Sj|'s. Because of that, we now 
consider a modified sequence Si, . . . , S n defined by Si := log P z .\ Z i-i(Zi\Z ) 
if P Zi \ Z i-i {Zi\Z l ~ l ) > 5 and Si := otherwise, where 5 > will be determined 
later. This gives us a bound like (|4,7p but with an explicit c, namely c = 
log(l/<5). Below, we will argue that EfSilS^ 1 ] -EfSilS^ 1 ] < A by the right 
choice of 5; the claim then follows from observing that 

Si-ElSilS 1 - 1 ] ySi-ElSiis*- 1 ] 

> Si - EfSilS*" 1 ] - A 

> Si + h - A, 
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where the last inequality follows from (|4.8p . Regarding the claim E[S'i|5 i 1 ] — 
E[5i|S'* _1 ] < A, using a similar argument as for (|4.8fl . it suffices to show that 
E[Si\Z i ~ 1 = z i - 1 ) -E[S i \Z i - 1 = z i ~ 1 ) < A for any z^ 1 : 

E[S i \Z i - 1 = z i - 1 ] -E[S l \Z l ~ 1 = z i - 1 ] 

= -E p ^i^- i (^i^ 1 ) 1 °g( p ^i^- i ^i^ 1 )) 

Zi 

< \Z\5\og(l/5) 

where the summation is over all Z\ G Z with Pz i \z i - 1 { z i\ z ' l ~ 1 ) < <^> an d where the 
inequality holds as long as 5 < 1/e, as can easily be verified. Thus, we let < 
5 < 1/e be such that \Z\5 log(l/5) = A. Using the mathematical Lemma 14.81 
we have that 5 > 41o g(|f | /A) and derive that c 2 = log(l/5) 2 = X 2 /(5\Z\) 2 < 
161og(|iJ|/A) 2 , which gives us the claimed bound e on the probability. □ 

4.5.2 Quantum Uncertainty Relations 

We now state and prove the new entropic uncertainty relation in its most general 
form. A special case will then be introduced (Corollary I4.23[) and used in the 
security analysis of the 1-2 OT-protocols we consider in Chapter [6l 

Definition 4.21 LetS be a finite set of orthonormal bases in the d- dimensional 
Hilbert space Tid- We call h > an average entropic uncertainty bound for S 
if every state in TLd satisfies J2$eS H(P#) — h> w ^ ere P® ^ s the distribution 
obtained by measuring the state in basis 

Note that by the convexity of the Shannon entropy H, a lower bound for all 
pure states in TL^ suffices to imply the bound for all (possibly mixed) states. 

Theorem 4.22 Let S be a set of orthonormal bases in Hd with an average 
entropic uncertainty bound h, and let p G V(?i® n ) be an arbitrary quantum 
state. Let = (©i,...,0 n ) be uniformly distributed over S n and let X = 
(Xi,...,X n ) be the outcome when measuring p in basis 0, distributed over 
{0, . . . , d - l} n . Then for any < A < \ 

H £ oo (X|0)>(/ i -2A)n 
m ^ £ = eXp (~ 3 2 (io g £M/A))0 - 

Proof: Define : = (X h Qi) and Z { : = {Z 1 ,...,Z i ). Let z l ~ l G S^ 1 be 
arbitrary. Then 

H(Z i \Z i - 1 = z i - 1 ) = H(X i \Q h Z i - 1 = z i - 1 ) + R(O i \Z i - 1 = z i - 1 ) >h + \og\S\, 

where the inequality follows from the fact that 0j is chosen uniformly at random 
and from the definition of h. Note that h lower bounds the average entropy for 
any system in H.^, and thus in particular for the ith subsystem of p, with all 
previous d-dimensional subsystems measured. Theorem 14.201 thus implies that 
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H^(X0) > (h + log \B\ — 2X)n for any < A < ^ and for e as claimed. We 
conclude that 

B4(X I 9) > B4(Xe) - nlog \B\ >{h- 2X)n , 

where the first inequality follows from the equality 

P X £\e(x\6) = Pxe£(x,0)/Pe{9) = \B\ n ■ P xee (x,9) 

for all x and 9 and any event £ , and from the definition of (conditional) smooth 
entropy. □ 

For the special case where S = {+, x} is the set of BB84 bases, we can 
use the uncertainty relation of Maassen and Uffink [MU88J (see Equation (|4.2p ) 
which, using our terminology, states that S has average entropic uncertainty 
bound h = \. Theorem 14.221 together with Lemma 14.91 then immediately gives 
the following corollary. 

Corollary 4.23 Let p 6 Viji.® 71 ) be an arbitrary n-qubit quantum state. Let 
= (0i, . . . , ra ) be uniformly distributed over {+, x} n and X = {X\, . . . , X n ) 
be the outcome when measuring p in basis G . Then for any < A < j 

H £ 00 (X|9)> Q-2A)n 

where e = 2~32 n . 



Maassen and Uffink's relation being optimal means there exists a quantum 
state p — namely the product state of eigenstates of the subsystems, e.g. p = 
|0)(0|® n — for which H(X|0) = ^. On the other hand, we have shown that 
(g— A)n < H^ o (X|0) for A > arbitrarily close to 0. For the product state p, the 
X are independent and we know from Lemma 12.131 that H^ C) (X|B) approaches 
H(X|0) = ^. It follows that the relation cannot be significantly improved even 
when considering Renyi entropy of order 1 < a < oo. 

Another tight corollary is obtained if we consider the set of measurements 
S = {+, x,0} (see Section 12.31 for the definition of the circular basis O). In 
[San93], Sanchez- Ruiz shows that for this S, the average entropic uncertainty 
bound 

h = \ (4.9) 
is optimal. It implies that H^(X|G) > H(X|6) = ^ for negligible e. 

4.5.3 The Overall Average Entropic Uncertainty Bound 

In the this section, we compute the average uncertainty bound for the set of all 
bases of a d-dimensional Hilbert space. Let U(d) be the set of unitaries on Tid- 
Moreover, let dU be the normalized Haar measure on lA{d), i.e., 



/ f(VU)dU = [ f(UV)dU = [ f(U)dU , 

JU{d) JU{d) JU(d) 
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for any V G U(d) and any integrable function /, and f u ^ d ) dU = 1. (Note that 
the normalized Haar measure dU exists and is unique.) 

Let {u>i, . . . , cod} be a fixed orthonormal basis oiTLd, and let 5 a n = {#[/}(7eW(d) 
be the family of bases i% = {Uui, . . . , Uu>d} with U £ U{d). The set <S a n con- 
sist of all orthonormal basis of Hd- We generalize Definition 14.211 the average 
entropic uncertainty bound for a finite set of bases, to the infinite set 5 a u. 

Definition 4.24 We call hd an overall average entropic uncertainty bound in 
7id if every state in TLd satisfies 

[ n(p# v )du > h d , 

JU{d) 

where P$ u is the distribution obtained by measuring the state in basis i% E 5 a n. 



Proposition 4.25 For any positive integer d, 



is the overall average entropic uncertainty bound in Hd- It is attained for any 
pure state in Tid- 

The proposition follows immediately from Formula (14) in |JRW94j for a pure 
state, i.e. (Ai,...,A n ) = (1,0, ...,0). The result was originally shown by 
Sykora |Syk74| and by Jones [Jon91] . another proof can be found in the ap- 
pendix of an article by Jozsa, Robb, and Wootters [JRW94J. An elementary 
proof suggested by Harremoes based on recent results by Harremoes and Vig- 
nat |HV06j is given below. 

Proof: Let \<p) be a pure state in TLd- For the probability distribution P$ v = 
(pi, . . . ,pd) holds pi = \ ((p\U\uii)\ 2 . We want to compute the integral 



d d ,. 

\ -y>io g (pi)di7=-y; / K^K^iogG^ic/i^ 

JU(d) i=l i=1 JU(d) 



\ 2 )dU. 



Note that by the invariance of the Haar measure, all summands on the right- 
hand side are equal and it suffices to compute 



-d MUle^logiMUle^dU, (4.10) 

JU{d) 

where \e\) is the first vector in the computational basis, i.e. |((^|?7|ei)| 2 is the 
length of the projection onto the first coordinate of U*\<p). 

The Haar measure over U(d) is the uniform distribution over the d-dimensional 
complex sphere which can be seen as the uniform distribution over the 2d- 
dimensional real sphere S 2 d = {(X,Y) G R 2d \ Y%Li X? + Y 2 = 1} where the 
complex coordinates are given by {X\ +iY\, . . . , Xd+iYd). Setting Z{ = X 2 +Y 2 
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and Z = (Zi, . . . , Z^) and using a result from [HV06] about the projection of 
the uniform distribution over S^d to the first coordinate, we obtain that the 
density of Z x is f{z) = (d - 1)(1 - z) d ~ 2 dz for z G [0,1]. Therefore, <|CT]> 
equals 

-d£ z log(z) • (d - 1)(1 - z) rf - 2 dz = fe I j / ln ^ 2 )' 

where the evaluation of this integral follows from standard calculus. By con- 
vexity of the Shannon entropy, the bound also holds for mixed states and the 
claim follows. □ 

The following table gives some numerical values of hd for small values of d. 



d 


2 


4 


8 


16 


hd 

hd 
log(d) 


0.72 
0.72 


1.56 
0.78 


2.48 
0.83 


3.43 
0.86 



It is well-known that the harmonic series in Proposition 14.251 diverges in the 
same way as log(d) and therefore, , h f » goes to 1 for large dimensions d. 



Chapter 5 



Rabin OT in the 
Bounded- Quantum- Storage 
Model 



In this chapter, we present an efficient protocol for Rabin Oblivious Transfer 
which is secure in the bounded-quantum-storage model. It first appeared in 
[DFSS05J, a journal version of this paper is in preparation DFSS08J. 

5.1 The Definition 

A protocol for Rabin Oblivious Transfer (Rabin OT) between sender Alice and 
receiver Bob allows for Alice to send a bit b through an erasure channel to Bob. 
Each transmission delivers b or an erasure with probability ^. Intuitively, a 
protocol for Rabin OT is secure if 

• the sender Alice gets no information on whether b was received or not, no 
matter what she does, and 

• the receiver Bob gets no information about b with probability at least i, 
no matter what he does. 

In this chapter, we are considering quantum protocols for Rabin OT. This 
means that while the inputs and outputs of the honest senders are classical, 
described by random variables, the protocol may contain quantum computation 
and quantum communication, and the view of a dishonest player is quantum, 
and is thus described by a quantum state. 

Any such (two-party) protocol is specified by a family {(S n , R n )}n>o of pairs 
of interactive quantum circuits (i.e. interacting through a quantum channel). 
Each pair is indexed by a security parameter n > 0, where S n and R n denote 
the circuits for sender Alice and receiver Bob, respectively. In order to simplify 
the notation, we often omit the index n, leaving the dependency on it implicit. 

For the formal definition of the security requirements of a Rabin OT proto- 
col, let us fix the following notation. Let B denote the binary random variable 
describing S's input bit b, and let A and Y denote the binary random variables 
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describing R's two output bits, where the meaning is that A indicates whether 
the bit was received or not. Furthermore, for a dishonest sender S, the final 
state of a fixed candidate protocol for Rand 1-2 OT can be described by the 
ccq-state p AY s wriere (by slight abuse of notation) we also denote by S the 
quantum register that the sender outputs. Its state may depend on A and Y. 
Similarly, for a dishonest receiver R, we have the cq-state p BR - 

Definition 5.1 A two-party (quantum) protocol (S, R) is a e-secure Rabin OT 
if the following holds: 

e-Correctness: For honest S and R, 

P[B = Y\A = 1] > 1 -e. 

e-Receiver-security: For honest R and any dishonest S there exists 1 a binary 
random variable B' such that 

P[B' = Y\A = 1] > 1 - e, and S(p AB ,^, 1 ® p B ,§) < e . 

e-Sender-security: For any R there exists an event £ with P[£] > \ — s such 
that 

S (Pbr\£>Pb®Pr\ £ ) <£• 

If any of the above holds for e = 0, then the corresponding property is said to 
hold perfectly. // one of the properties only holds with respect to a restricted 
class & of S's respectively 9\ of R 's, then this property is said to hold ( and the 
protocol is said to be secure) against & respectively 9^. 

Receiver-security requires that the joint quantum state is essentially the 
same as when the dishonest sender chooses a bit B' according to some dis- 
tribution and a (possibly dependent) quantum state, and gives B' to an ideal 
functionality which passes it on to the receiver with probability \. Sender- 
security requires that the joint quantum state is essentially the same as when 
the dishonest receiver gets the sender's bit B with probability \ and prepares 
some state that may depend on B in case he receives it, and prepares some state 
that does not depend on B otherwise. In other words, security requires that 
the dishonest party cannot do more than when attacking an ideal functionality. 
From such a strong security guarantee we expect nice composition behavior, for 
instance like in |CSSW06j . 

Note that the original definition given in [DFSS05J does not guarantee that 
the distribution of the input bit is determined at the end the execution of 
Rabin OT. This is a strictly weaker definition and does not fully capture what is 
expected from a Rabin OT: it is easy to see that if the dishonest sender can still 
influence his input bit after the execution of the protocol, then known schemes 
based on Rabin OT, like bit commitments, are not secure anymore. The security 



definition given here is in the spirit of the security definition from DFR + 07 
for 1-2 OT, described in the next Chapter [H 



1 Recall from Section 12.31 Given a cq-state Pxe, by saying that there exists a random 
variable Y such that pxye satisfies some condition, we mean that pxE can be understood as 
Pxe = tTy(pxYE) for a ccq-state Pxye that satisfies the required condition. 
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5.2 The Protocol 

We present a quantum protocol for Rabin OT that will be shown perfectly cor- 
rect and perfectly receiver-secure (against any sender) and statistically sender- 
secure against any quantum-memory-bounded receiver. Our protocol exhibits 
some similarity with quantum conjugate coding introduced by Wiesner [Wie83| . 



QOt(6): 

1. S picks x £r {0, l} n , and r Er {+, x} and sends : = \x) r to R 
(i.e. the string x encoded in basis r). 

2. R picks r' Er {+, x} and measures all qubits of |V>) in basis r' . Let 
x' £ {0, 1}™ be the result. 

3. S announces r, f £r T n , and e := b © f(x). 

4. R outputs a := 1 and y := e © /(#') if r' = r and else a := and 
y:= 0. 



Figure 5.1: Quantum Protocol for Rabin OT 

The protocol given in Figure 15.11 is very simple: S picks x £r {0, l} n and 
sends to R n qubits in state either \x) + or |x) x each chosen with probability \. 
R then measures all received qubits either in the rectilinear or in the diagonal 
basis. With probability ^, R picked the right basis and gets x, while any R that 
is forced to measure part of the state (due to a memory bound) can only have 
full information on x in case the +- basis was used or in case the x -basis was 
used (but not in both cases). Privacy amplification based on any two-universal 
class of hashing functions T n is then used to eliminate partial information (as 
explained in Section 12.51) . For simplicity, we focus on the case where the output 
size of the family T n is just one bit, i.e. I = 1, but all results of this chapter 
can easily be extended to Rabin OT 1 of ^-bit strings, by using an output size 
t > 1 and adjusting the memory bounds accordingly, see Section 15.71 

In order to avoid aborting, we specify that if a dishonest S refuses to partic- 
ipate, or sends data in incorrect format, then R samples its output bits a and 
y both at random in {0, 1}. 

We first consider receiver-security. 

Proposition 5.2 QOT is perfectly receiver-secure. 

It is obvious that no information about whether R has received the bit is leaked 
to any sender S, since R does not send anything. However, one needs to show 
the existence of a random variable B 1 as required by receiver-security. 

Proof: Recall, the quantum state p AY s 1S defined by the experiment where the 
dishonest sender S interacts with the honest memory-bounded R. Consider a 
modification of the experiment where we allow R to be unbounded in memory 
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and where R waits to receive r and then measures all qubits in basis r. Let 
X' be the resulting string. Nevertheless, R picks r' G_r {+, x} at random 
and outputs (A,Y) = (0,0) if r' ^ r and (A,y) = (l,e © /(X')) if r' = r. 
Since the only difference between the two experiments is when R measures the 
qubits and in what basis R measures them when r ^ r' , in which case his final 
output is independent of the measurement outcome, the two experiments result 
in the same p^ys- However, in the modified experiment we can choose B' to 
be e © f(X'), such that by construction B' = Y if A = 1 and A is uniformly 
distributed, independent of anything, and thus p AB ,^ = 1 © Pb'S- ^ 

As we shall see in Section 15.41 the security of the QOT protocol against 
receivers with bounded-size quantum memory holds as long as the bound applies 
before Step [3] is reached. An equivalent protocol is obtained by purifying the 
sender's actions. Although QOT is easy to implement, the purified or EPR- 
based version depicted in Figure 15.21 is easier to prove secure. This technique 
was pioneered by Ekert |Eke91| in the scenario of quantum key distribution. A 
similar approach was taken in the Shor-Preskill proof of security for the BB84 
quantum- key-distribution scheme [SP00J. 



epr-qot(6): 

1. S prepares n EPR pairs each in state |0) = -i=(|00) + |11)) and sends 
one half of each pair to R and keeps the other halves. 

2. R picks r' {+, x} and measures all received qubits in basis r' . 
Let x' G {0, l} n be the result. 

3. S picks r £r {+, x}, and measures all kept qubits in basis r. Let x £ 
{0, l} n be the outcome. S announces r, / £r T n , and e := b © f(x). 

4. R outputs a := 1 and y := e © f(x') if r' = r and else a := and 
y:= 0. 



Figure 5.2: Protocol for EPR-based Rabin OT 

Notice that while QOT requires no quantum memory for honest players, 
quantum memory for S seems to be required in EPR-QOT. The following Lemma 
shows the strict security equivalence between QOT and epr-qot. 

Lemma 5.3 QOT is e -sender- secure if and only if EPR-QOT is. 

Proof: The proof follows easily after observing that S's choices of r and /, 
together with the measurements all commute with R's actions. Therefore, they 
can be performed right after Step 1 with no change for R's view. Modifying 
epr-qot that way results in QOT. □ 

Note that for a dishonest receiver it is not only irrelevant whether he tries to 
attack QOT or epr-qot, but in fact there is no difference in the two protocols 
from his point of view. 
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5.3 Modeling Dishonest Receivers 

We model dishonest receivers in QOT, respectively epr-qot, under the assump- 
tion that the maximum size of their quantum storage is bounded. These ad- 
versaries are only required to have bounded quantum storage when they reach 
Step [3] in (epr-)qot. Before (and after) that, the adversary can store and 
carry out quantum computations involving any number of qubits. Apart from 
the restriction on the size of the quantum memory available to the adversary, 
no other assumption is made. In particular, the adversary is not assumed to be 
computationally bounded and the size of its classical memory is not restricted. 

Definition 5.4 The set 9ty denotes all possible quantum dishonest receivers 
{Rn}n>o QOT or EPR-QOT where for each n > 0, R n has quantum memory 
of size at most jn when Step is reached. 

In general, the adversary R is allowed to perform any quantum computation 
compressing the n qubits received from S into a quantum register M of size 
at most jn when Step [3] is reached. More precisely, the compression function 
is implemented by some unitary transform T acting upon the quantum state 
received and an ancilla register of arbitrary size (initially in the state 1 0) ) . The 
compression is performed by a measurement that we assume in the computa- 
tional basis without loss of generality. Before starting Step the adversary 
first applies a unitary transform T: 

2- n ' 2 k>®2»|0>^2-"/ 2 £ \z)®52<*x,v\<Px,v) M \v) Y , 

xe{o,i} n xe{o,i}" v 

where for all x, \a X:V \ 2 = 1. Then, a measurement in the computational 
basis is applied to register Y providing classical outcome y. The result is a 
quantum state in register M of size "fn qubits. Ignoring the value of y to ease 
the notation, the re- normalized state of the system in its most general form 
when Step [3] in epr-qot is reached is thus of the form 

|^)= Yl a x \x) <g> \ip x ) M , 
xe{o,i} n 

where \ a x \ 2 = 1. We will prove security for any such state \tp) and thus 
conditioned on any value y that may be observed. It is therefore safe to leave 
the dependency on y implicit. 

5.4 Security Against Dishonest Receivers 

In this section, we use the uncertainty relation derived in Section [4.31 to show 
that epr-qot is secure against any dishonest receiver having access to a quan- 
tum storage device of size strictly smaller than half the number of qubits re- 
ceived at StepfTJ 
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Theorem 5.5 For all 7 < ^> Q OT ^ s ^-secure for a negligible (in n) e against 

Proof: After Lemmas l5.3l and l5.2l it remains to show that epr-qot is e-sender- 
secure against 9ty. Since 7 < ^, we can find k > with 7 + k < |. Consider 
a dishonest receiver R in epr-qot with quantum memory of size jn. Let R 
and X denote the random variables describing the basis r and the outcome x of 
S's measurement (in basis r) in Step [3] of epr-qot, respectively. We implicitly 
understand the distribution of X given R to be conditioned on the classical 
outcome y of the measurement R performed when the memory bound applies, 
as described in Section 15. 3( the following analysis works no matter what y is. 
Corollary 14.171 with A = 7 + k implies the existence of e negligible in n and an 
event £ such that P[S] > \ — e and such that H 00 (X\R = r,£) > 771 + ku for 
any relevant r. Note that by construction, the random variables X and R, and 
thus also the event £, are independent of the sender's input bit B, and hence 
Pb\e = Pb- It remains to show that o~(p B r\£, Pb\s ®Pr\s) — £ - As * ne bit B 
is masked by the output of the two-universal hash function F{X) in Step 4 of 
EPR-QOT (where the random variable F represents the random choice for /), 
it suffices to show that F(X) is close to uniform and essentially independent 
from R's view, conditioned on £. But this is guaranteed by the above bound on 
H oc (X\R = r,£) and by the privacy-amplification theorem (Corollary 12.251 with 
e '■= 0, £ := 1, q := "fn and U constant). □ 

5.5 On the Necessity of Privacy Amplification 

In this section, we show that randomized privacy amplification is needed for 
protocol QOT to be secure. For instance, it is tempting to believe that the 
sender could use the XOR ® i Xi in order to mask the bit b, rather than f(x) for 
a randomly sampled / £ T n . This would reduce the communication complexity 
as well as the number of random coins needed. However, we argue in this section 
that this is not secure (against an adversary as we model it). Indeed, somewhat 
surprisingly, this variant can be broken by a dishonest receiver that has no 
quantum memory at all (but that can do coherent measurements on pairs of 
qubits) in the case n is even. For odd n, the dishonest receiver needs to store 
a single qubit. 

Clearly, a dishonest receiver can break the modified scheme QOT and learn 
the bit b with probability 1 if he can compute ® ■ Xj with probability 1. Note 
that, using the equivalence between QOT and epr-qot, Xj can be understood 
as the outcome of the measurement in either the +- or the x-basis, performed 
by the sender on one part of an EPR pair while the other is handed over to the 
receiver. The following proposition shows that indeed the receiver can learn 
i Xi by a suitable measurement of his parts of the EPR pairs. Concretely, 
he measures the qubits he receives pair-wise by a suitable measurement which 
allows him to learn the XOR of the two corresponding Xj's, no matter what the 
basis is (and he needs to store one single qubit in case n is odd). This obviously 
allows him to learn the XOR of all x»'s in all cases. 
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Proposition 5.6 Consider two EPR pairs, i.e., \tp) = | \x) \x) R where x 
ranges over {0, l} 2 . Let r G {+, x} ; and let x\ and X2 be the result when mea- 
suring the two qubits in register S in basis r. There exists a fixed measurement 
for register R so that the outcome together with r uniquely determines x\ © X2- 

Proof: The measurement that does the job is the Bell measurement, i.e., the 
measurement in the Bell basis {|<& + ), l*^ - ), l^ - )}. Recall, 

l^ + > = -^(|oo) + + |ii) + ) = ^(|oo) x + |ii) x ) 
l* + > = -^(|oi) + + |io) + ) = ^(|oo) x -|ii) x ) 

l*~> = 7f - i u >+) = 7f d 0l )x + i io >x) 

|lJr> = 7! (|01)+ " |10)+) = 7! (|10)x ~ |01)x) • 

Due to the special form of the Bell basis, when register R is measured and, as 
a consequence, one of the four Bell states is observed, the state in register S 
collapses to that same Bell state. Indeed, when doing the basis transformation, 
all cross-products cancel each other out. It now follows by inspection that 
knowledge of the Bell state and the basis r allows to predict the XOR of the 
two bits observed when measuring the Bell state in basis r. For instance, for 
the Bell state |*+), the XOR is 1 if r = + and it is if r = x . □ 



Note that from the proof above, one can see that the receiver's attack, 
respectively his measurement on each pair of qubits, can be understood as 
teleporting one of the two entangled qubits from the receiver to the sender 
using the other as EPR pair. However, the receiver does not send the outcome 
of his measurement to the sender, but keeps it in order to predict the XOR. 

Clearly, the same strategy also works against any fixed linear function. 
Therefore, the only hope for doing deterministic privacy amplification is by 
using a non-linear function. However, it has been shown recently by Ballester, 
Wehner, and Winter [BWW06J, that also this approach is doomed to fail in our 
scenario, because the outcome of any fixed Boolean function can be perfectly 
predicted by a dishonest receiver who can store a single qubit and later learns 
the correct basis r G {+, x}. 



5.6 Weakening the Assumptions 

Observe that QOT requires error-free quantum communication, in that a trans- 
mitted bit b, that is encoded by the sender and measured by the receiver using 
the same basis, is always received as b. In addition, it also requires a perfect 
quantum source which on request produces one and only one qubit in the right 
state, e.g. one photon with the right polarization. Indeed, in case of noisy 
quantum communication, an honest receiver in QOT is likely to receive an in- 
correct bit, and the sender-security of QOT is vulnerable to imperfect sources 
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that once in a while transmit more than one qubit in the same state: a mali- 
cious receiver R can easily determine the basis r € {+, x} and measure all the 
following qubits in the right basis. However, current technology only allows to 
approximate the behavior of single-photon sources and of noise-free quantum 
communication. It would be preferable to find a variant of QOT that allows to 
weaken the technological requirements put upon the honest parties. 

In this section, we present such a protocol based on BB84 states |BB84| . 
BB84-QOT (see Figure I5T3]) . The security proof follows essentially by adapting 
the security analysis of QOT in a rather straightforward way, as will be discussed 
later. 

5.6.1 Weak Quantum Model 

Let us consider a quantum channel with an error probability (f> < h, i.e., (f> 
denotes the probability that a transmitted bit b, that is encoded by the sender 
and measured by the receiver using the same basis, is received as 1 — b. In order 
not to have the security rely on any level of noise, we assume the error proba- 
bility to be zero when considering a dishonest receiver. Also, let us consider a 
quantum source which produces two or more qubits (in the same state), rather 
than just one, with probability rj < 1 — 0. We call this the ((f), i])-weak quantum 
model. By adjusting the parameters, this model can also cope with dark counts 
and empty pulses, see Section [9,1.11 

In order to deal with noisy quantum communication, we need to do error- 
correction without giving the adversary too much information. Techniques 
to solve this problem are known as information reconciliation (as introduced 
for instance by Brassard and Salvail [BS93J) or as secure sketches introduced 
by Dodis, Reyzin, Smith [DRS04]. Let x E {0,1}^ be an arbitrary string, 
and let x' G {0, 1} be the result of flipping every bit in x (independently) 
with probability (p. It is well known that learning the syndrome S(x) of x, 
with respect to a suitable efficiently-decodable linear error-correcting code C 
of length £, allows to recover x from x', except with negligible probability in £ 
(see, e.g., [Mau91, lCre97llDRS04] ). Furthermore, it is known from coding theory 
that, for large enough £, such a code can be chosen with rate R arbitrarily close 
to but smaller than 1 — h((f>), i.e., such that the syndrome length s is bounded 
by s < (h(4>) + e)£ where e > (see e.g. |Cre97| or the full version of [DRS04J 
and the references therein). 

Regarding the loss of information, we can use the privacy-amplification 
statement in form of Corollary 12.251 with e ■ = and constant U in a simi- 
lar way as before, just by appending the classical syndrome S(x) (of length s) 
to the quantum register E, which results in 

Kpf(x)fs(x)e, 1 ® Pfs(x)e) < V^PO-"-*- 1 ). (5.1) 

Consider the protocol BB84-QOT shown in Figure 15.31 in the ((f), r/)-weak 
quantum model. The protocol uses an efficiently decodable linear code Ci, 
parametrized in £ £ N, with codeword length £, rate R = 1 — h((f>) — e for 
some small e > 0, and being able to correct errors occurring with probability 
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4> (except with negligible probability). Let Sg be the corresponding syndrome 
function. Like before, the memory bound in BB84-QOT applies before Step 



bb84-qot(6): 

1. S picks x £r {0, l} n and 9 £r {+, x} n and sends X{ in the corre- 
sponding bases |ici)g , ■ ■ ■ , \x n )n tO R. 

2. R picks r' S_r {+, x} and measures all qubits in basis r' . Let x' S 
{0, l} n be the result. 

3. S picks r £r {+, x}, sets I := {i : 9{ = {+, x}[ r ]} and £ : = |/|, and 
announces r, /, syn := Sg(x\i), f £r Tg, and e := b © f(x\i). 

4. R recovers x\i from x'\i and syn, and outputs a: = 1 and 6' : = 
e © /(#!/) if r' = r and else a := and 6' := 0. 



Figure 5.3: Protocol for the BB84 version of Rabin OT 

By the above mentioned properties of the code Cg, it is obvious that R 
receives the correct bit b if r' = r, except with negligible probability. (The 
error probability is negligible in £, but by Chernoff's inequality (Lemma I2.5p . 
£ is linear in n except with negligible probability.) Also, since there is no 
communication from R to S, a dishonest sender S cannot learn whether R re- 
ceived the bit. In fact, BB84-QOT can be shown perfectly receiver-secure in the 
same way as in Proposition 15.21 Similar as for protocol QOT, in order to argue 
about sender-security we compare BB84-QOT with a purified version shown in 
Figure 15.41 bb84-epr-qot runs in the ((/>, 0)-weak quantum model, and the 
imperfectness of the quantum source assumed in BB84-QOT is simulated by S 
in BB84-EPR-QOT so that there is no difference from R's point of view. 

The security equivalence between BB84-QOT (in the (</>, ry)-weak quantum 
model) and bb84-epr-qot (in the (cfr, 0)-weak quantum model) follows along 
the same lines as in Section 15.21 

Theorem 5.7 In the ((f), rj) -weak quantum model, BB84-QOT is e-secure with e 
negligible in n against for any 7 < — ^1 and n large enough. 

Proof Sketch: It remains to show that bb84-epr-qot is sender-secure against 
9ty (in the (4>, 0)-weak quantum model). The reasoning goes analogous to the 
proof of Theorem 15.51 except that we restrict our attention to those i's which 
are in J. By Chernoff's inequality (Lemma 12 . 5[) . £ lies within (1 ± e)n/2 and 
I J I within (1 — 77 ± e)n/2 except with negligible probability. In order to make 
the proof easier to read, we assume that £ = n/2 and | J\ = (1 — rj)n/2, and we 
also treat the e occurring in the rate of the code Cg as zero. For the full proof, 
we simply need to carry the e's along, and then choose them small enough at 
the end of the proof. 

Write n' = \J\ = (1 — rj)n/2, and let 7' be such that jn = 7'n', i.e., 
7' = 27/(1 — 77). Assume k > such that 7' + k < ^, where we make sure 
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bb84-epr-qot(6): 

1. S prepares n EPR pairs each in state \Q) = ( 1 00) + |11)). Addi- 
tionally, S initializes I', : = and I' x := 0. For every i S {1, . . . ,n}, 
S does the following. With probability 1 — 77, S sends one half of the 
i-th pair to R and keeps the other half. While with probability 77, S 
picks 9i £r {+, x}, replaces I' g . by I' e . U {i} and sends two or more 
qubits in the same state \x-i) e . to R where Xi &r {0, 1}. 

2. R picks r' G# {+, x} and measures all received qubits in basis r' . 
Let x' G {0, l} n be the result. 

3. S picks a random index set J Cr {1, ...,n} \ (Ji. U I^)- Then, 
it picks r Gjj {+, x}, sets / : = J U l' r and I : = |/|, and for each 
i € J it measures the corresponding qubit in basis r. Let x% be the 
corresponding outcome, and let x\j be the collection of all Xj's with 
i £ I. S announces r, /, syn = Si(x\i), f £r Te, and e = 6© /(x|j). 

4. R recovers x\j from and syn, and outputs a : = 1 and 6' : = 
e © if r' = r and else a := and 6' := 0. 



Figure 5.4: Protocol for EPR-based Rabin OT, BB84 version 

later that such k exists. It then follows from Corollary 14.171 that there exists 
an event £ such that P[£] > \ — negl(n') = | — negl(n) and 

Hoo (X| j|fl=r,f ) > (V + «)n' = 7 n + «(1 - r/)n/2 . 

By Inequality (15. ip . it remains to argue that this is larger than q + s = "fn + 
h((f))n/2, i.e., 

«(1 - r/) > , 

where k has to satisfy 

^<^"7=^ - 27/(1 - V) ■ 

This can obviously be achieved (by choosing k appropriately) if and only if the 
claimed bound on 7 holds. □ 

5.7 Rabin OT of Strings 

In this chapter, we only considered Rabin OT of one bit per invocation. Our 
technique can easily be extended to deal with Rabin OT e of £-bit strings, es- 
sentially by using a class of two-universal functions with range {0, l} en rather 
than {0, 1}, for some i with j + £ < \ (respectively < i^ 2 - for bb84-qot). 



Chapter 6 



1-2 OT in the 

Bounded- Quantum- Storage 
Model 



In the last chapter, we have shown how to construct Rabin OT securely in 
the bounded-quantum-storage model. Although other flavors of OT can be 
constructed from Rabin OT using standard reductions, a more direct approach 
gives a better ratio between storage-bound and communication-complexity. 

In this chapter, we present an efficient protocol for 1-2 Oblivious Transfer 
secure in the bounded-quantum-storage model. The protocol is very close to 
Wiesner original "conjugate-coding" protocol [Wie83j from the early 70's. The 
uncertainty relation from Section 14.51 will be extensively used for proving the 
security. 

The results of this section appeared in |DFR + 07j . 

6.1 The Definition 

In 1-2 OT e , the sender Alice sends two £-bit strings So, Si to the receiver Bob 
in such a way that Bob can choose which string he wants to receive, but does 
not learn anything about the other. Alice does not get to know which string 
Bob has chosen. As explained in Chapter El the common way to build 1-2 OT e 
is by constructing a protocol for (Sender-)Randomized 1-2 OT £ , which then 
can easily be converted into an ordinary 1-2 OT e . Rand 1-2 OT^ essentially 
coincides with ordinary 1-2 OT e , except that the two strings So and Si are not 
input by the sender but generated uniformly at random during the protocol 
and output to the sender. 

For the formal definition of the security requirements for a quantum protocol 
for Rand 1-2 OT e , we translate the classical Definition 13.11 to the quantum set- 
ting using a similar notation as for the definition of Rabin OT in Section 15.11 
Let C denote the binary random variable describing receiver R's choice bit, 
let So, Si denote the £-bit long random variables describing sender S's output 
strings, and let Y denote the £-bit long random variable describing R's out- 
put string (supposed to be Sc)- Furthermore, for a fixed candidate protocol 
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for Rand 1-2 OT , and for a fixed input distribution for C, the overall quantum 
state in case of a dishonest sender S is given by the ccq-state p CY s ■ Analogously, 
in the case of a dishonest receiver R, we have the ccq-state Pg g^- 

Definition 6.1 (Rand 1-2 OT 1 ) A n e-secure Rand 1-2 OT 1 is a quantum pro- 
tocol between S and R, with R having input C £ {0,1} while S has no input, 
such that for any distribution of C , the following holds: 

e-Correctness: If S and R follow the protocol, then S gets output strings 
So, Si G {0, 1} and R gets Y = Sc except with probability e. 

e-Receiver-security: IfRis honest, then for anyS, there exist 1 random vari- 
ables S' and S[ such that Pr [Y = 5^] > 1 — e and 

6 (P C S> S[S'PC® Ps' s[s) 

e-Sender-security: IfS is honest, then for any R, there exists a random vari- 
able D 6 {0, 1} such that 

S (Ps 1 _ d S d dR' 1 ®Ps d dr) 

If any of the above holds for e = 0, then the corresponding property is said to 
hold perfectly. If one of the properties only holds with respect to a restricted 
class S of S's respectively 9^ of R 's, then this property is said to hold and the 
protocol is said to be secure against S respectively 9\. 

Receiver-security, as defined here, implies that whatever a dishonest sender 
does is as good as the following: generate the ccq-state p s , s ,§ independently of 
C, let R know S' c , and output p s . On the other hand, sender-security implies 
that whatever a dishonest receiver does is as good as the following: generate 
the ccq-state P SdD r arbitrarily, let S know Sd and an independent uniformly 
distributed Si_d, and output p^. In other words, a protocol satisfying Defini- 
tion E?T] is a secure implementation of the natural Rand 1-2 OT e ideal function- 
ality, except that it allows a dishonest sender to influence the distribution of 
So and S\ , and the dishonest receiver to influence the distribution of the string 
of his choice. This is in particular good enough for constructing a standard 
1-2 OT^ in the straightforward way. 

We would like to point out the importance of requiring the existence of S' 
and S^ in the formulation of receiver-security in a quantum setting: requiring 
only that the sender learns no information on C, as is sufficient in the classical 
setting (see e.g. [CSS W06|), does not prevent a dishonest sender from obtaining 
So, Si by a suitable measurement after the execution of the protocol in such a 
way that he can choose So © S\ at will, and Sc is the string the receiver has 
obtained in the protocol. This would for instance make the straightforward 
construction of a bit commitment 2 based on 1-2 OT insecure. 

1 Recall from Section 12.31 Given a cq-state pxE, by saying that there exists a random 
variable Y such that pxye satisfies some condition, we mean that pxE can be understood as 
Pxe = try (pxye) for a ccq-state Pxye that satisfies the required condition. 

2 The committer sends two random bits of parity equal to the bit he wants to commit to, 
the verifier chooses to receive at random one of those bits. 
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6.2 The Protocol 

We present a quantum protocol for Rand 1-2 0T e that will be shown perfectly 
receiver-secure against any sender and statistically sender-secure against any 
quantum-memory-bounded receiver. The first two steps of the protocol are 
identical to Wiesner's "conjugate coding" protocol [Wie83] from circa 1970 for 
"transmitting two messages either but not both of which may be received". 

The simple protocol is described in Figure 16.11 The sender S sends random 
BB84 states to the receiver R, who measures all received qubits according to his 
choice bit C. S then picks randomly two functions from a fixed two-universal 
class of hash functions J- n from {0, l} n to {0, 1}^, where £ is to be determined 
later, and applies them to the bits encoded in the +- basis respectively the bits 
encoded in x -basis to obtain the output strings So and S±. Note that we may 
apply a function / € T n to a n'-bit string with n' < n by padding it with 
zeros 3 (which does not decrease its entropy). S announces the encoding bases 
and the hash functions to the receiver who then can compute Sc- Intuitively, 
a dishonest receiver who cannot store all the qubits until the right bases are 
announced will measure some qubits in the wrong basis and thus cannot learn 
both strings simultaneously. 



Rand 1-2 QOT i : Let c be R's choice bit. 

1. S picks x G/j {0,1}™ and 6 £r {+, x} n and sends 
\xi) ei ,\x 2 ) e2 ,...,\x n ) 9n to R. 

2. R measures all qubits in basis [+, x] c . Let x' £ {0, l} n be the result. 

3. S picks two hash functions /o,/i &r T n -> announces 9 and /o,/i to 
R, and outputs So := fo(x\° Io ) and s± := fifx^) where := {i : 0i = 
[+,x] 6 }. 

4. R outputs s c = f c {x'\°i )■ 



Figure 6.1: Quantum Protocol for Rand 1-2 OT^. 

We would like to stress that although protocol description and analysis are 
designed for an ideal setting with perfect noiseless quantum communication and 
with perfect sources and detectors, all our results can easily be extended to a 
more realistic noisy setting along the same lines as in the previous Chapter [5j 

It is clear by the non-interactivity of Rand 1-2 QOT e that a dishonest sender 
cannot learn anything about the receiver's choice bit. Below, we show Rand 1 
-2 QOT * perfectly receiver-secure according to Definition 16.11 

Proposition 6.2 Rand 1-2 QOT^ is perfectly receiver- secure. 

Proof: Recall that the ccq-state Pfjys ^ defined by the experiment where S 
interacts with the honest memory-bounded R. We now define (in a new Hilbert 

3 Recall the notation for padding x\°j introduced in Section [2. II 
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space) the ccccq-state P^fs's'S a slightly different experiment: We let S 
interact with a receiver with unbounded quantum memory, which waits to re- 
ceive 9 and then measures the i-th qubit in basis 6i for i = 1, ... ,n. Let X 
be the resulting string, and define S' = fo(X\J ) and S[ = fi(X\° Ii ). Finally, 
sample C according to Pc and set Y = S' c . It follows by construction that 
Pr[Y/Sy =0 and is independent of ()§>§/<•• It remains to argue that 

Pcys = PcyS' so * na ^ corresponding S' and S[ also exist in the original ex- 
periment. But this is obviously satisfied since the only difference between the 
two experiments is when and in what basis the qubits at position i £ I\-c are 
measured, which, once C is fixed, cannot influence p Y $ respectively pf^- □ 

6.3 Security Against Dishonest Receivers 

As in Section [5.3} we model dishonest receivers in Rand 1-2 QOT^ under the 
assumption that the maximum size of their quantum storage is bounded. Such 
adversaries are only required to have bounded quantum storage when Step [3] 
in Rand 1-2 QOT^ is reached. Before and after that, the adversary can store 
and carry out arbitrary quantum computations involving any number of qubits. 
Apart from the restriction on the size of the quantum memory available to the 
adversary, no other assumption is made. In particular, the adversary is not 
assumed to be computationally bounded and the size of its classical memory is 
not restricted. 

Definition 6.3 The set 9ty denotes all possible quantum dishonest receivers 
R in Rand 1-2 QOT^ which have quantum memory of size at most "yn when 
Step is reached. 

First, we consider a purified version of Rand 1-2 QOT^, EPR Rand 1- 
2 QOT^ in Figure where S prepares an EPR pair |$) = -^=(|00> + |11)) 
instead of \xi) e . and sends one part to the receiver while keeping the other. 
Only when Step [3] is reached and R's quantum memory is bound to "fn qubits, 
S measures her qubits in basis 9 Er {+, x } n . It is easy to see that for any 
R, EPR Rand 1-2 QOT^ is equivalent to the original Rand 1-2 QOT e , and 
it suffices to prove sender-security for the former. Indeed, S's choices of 9 and 
/o, /i, together with the measurements all commute with R's actions. Therefore, 
they can be performed right after Step 1 with no change for R's view. Modifying 
EPR Rand 1-2 QOT £ that way results in Rand 1-2 QOT £ . 

Theorem 6.4 Rand 1-2 QOT^ is e-secure against $H 7 for a negligible (inn) e 
if there exists 5 > such that < n/4 — 21 — 5n. 

The proof has the same structure as the security-proof for the reduction OT2UOT 
described at the end of Section \3. 4. 2i The uncertainty relation from Section \4. 51 
lower bounds the dishonest receiver's (smooth) min-entropy about the sender's 
X. Hence, we have an (imperfect) (oo, ^)-UOT({0, l} n ) from which we get 
an ordinary Rand 1-2 OT e via the min-entropy splitting lemma and privacy 
amplification against quantum adversaries. 
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EPR Rand 1-2 QOT £ : 

1. S prepares n EPR pairs each in state |0) = ^|(|00) + |11)) and sends 
one half of each pair to R and keeps the other halves. 

2. R measures all qubits in basis [+, x] c . Let x' G {0, l} n be the result. 

3. S picks random 9 Gr {+, x} n , and she measures the ith qubit in 
basis 9i. Let x G {0, l} n be the outcome. S picks two hash functions 
/o, /i £Rf n , announces 6 and / , /i to R and outputs s ■= fo(x\° Io ) 
and si := fi(x\° h ) where I b := {i : 6 i = [+ ) x} b }. 

4. R outputs s c = /cC^'lj )■ 



Figure 6.2: Protocol for EPR-based Rand 1-2 OT £ . 

Proof: Consider the ccq-state P X qr m EPR Rand 1-2 QOT^ after R has mea- 
sured all but 7n of his qubits, where X describes the outcome of the sender 
measuring her part of the state in random basis G. Also, let Fq and F\ be 
the random variables that describe the random and independent choices of 
/o,/l € T n . Finally, let X b be X b = X\ 

{i:e i= [+,x] b } (P a dded with zeros so it 

makes sense to apply F b ). 

Choose A, k all positive, but small enough such that (for large enough n) 

jn < (1/4 — A — A' — K)n —1 — 21. 

From the uncertainty relation (Corollary 14.230 . we know that H^ c (XoXi|9) > 
(1/2 — 2A)n for e exponentially small in n. Therefore, by the Min-Entropy 
Splitting Lemma 12.151 there exists a binary random variable D such that 

H^(AV DJ D|9)>(l/4-A)n. 

We denote by the random variables -Fo ; -^i Alice's choices of hash functions. 
It is clear that we can condition (for free) on the independent Fjj. We write 
S d = Fd(X£)), set e' = 2~ A n , and use the chain rule (Lemma l2.12|) to condition 
on D, Sd as well. 

R £ + E '(X^ D \@F D DS D ) 

> H^ (X 1 _ Dj D5 d |6F d ) - R (DS D \eF D ) - X'n 

> (1/4- X- X')n-l-£ 

> jn + £ + kh, 

by the choice of A, A', n. 

We can now apply privacy amplification in form of Corollary 12.251 to 
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obtain 



S (PS : 




+ (e + e') 



which is negligible. This shows e-sender-security according to Definition ^. 11 □ 

6.4 Extensions 

6.4.1 1-2 OT £ with Longer Strings 

It is possible to extend recent techniques by Wullschleger |Wul07| described in 
Section [3.4.31 to the quantum case and hence, the security of Rand 1-2 QOT^ 
can be proven against 9ty if there exists 5 > such that jn < n/4 — I — 5n. 

6.4.2 Weakening the Assumptions 

As described in Section 15.61 for Rabin OT, we can extend protocol Rand 1-2 
QOTto work in the (4>,rj)-weak quantum model. To enable the receiver to 
recover from errors in the transmission, the sender S additionally sends error- 
correcting information in Step El The players agree beforehand on an efficiently 
decodable error-correcting code of length n/2 with syndrome length s roughly 
h{4>)n/2 as in Section EB Then, S sends along the two syndromes of S(x\i ) 
and S(x\i 1 ) (where the x\i b are padded with Os or truncated to length n/2). 
It can be argued as for Rabin OT that this will reduce the min-entropy by 
the length s of the syndrome and hence, we can show sender-security of this 
protocol against the class of receivers 1H 7 with 7 such that there exists 5 > 
with 



6.4.3 Reversing the Quantum Communication 

In order to illustrate the versatility of our security analysis, we show that the 
proofs carry easily over to a protocol where the direction of the quantum com- 
munication is reversed. In the protocol described in Figure 16.31 the receiver 
R of the Rand 1-2 OT sends n qubits, encoded in the basis determined by his 
choice bit. The sender of the Rand 1-2 OT S measures them in a random basis. 
The players then proceed as in Rand 1-2 QOT . 

It is clear by construction that the protocol is perfectly correct. e-Sender- 
security against dishonest receivers in can be argued as in Theorem 16.41 
above by observing that the uncertainty relation applies to any n-qubit state 
of the honest sender which is measured in a random basis and about which the 
dishonest receiver holds at most 771 qubits of information. 

For the security of an honest receiver against a dishonest sender, we can 
show the existence of the two input strings as in Proposition 16.21 above by 
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Rand 1-2 QOT e : Let c be R's choice bit. 

1. R picks x' € {0, l} n at random and sends |x') e , to R where 0' = 
[+, X]c- 

2. S picks { + , x} ra and measures the received qubits in basis 6. 
Let x £ {0, l} n be the result. 

3. S picks two hash functions /o,/i G_r ^n, announces 8 and /o>/i to 
R, and outputs so := /o(^l7 ) an d Si := /i^I^) where lb '■= {i ■ 8% = 
[+,x] 6 }. 

4. R outputs s c = f c (x'\° Ic ). 

Figure 6.3: Rand 1-2 QOT^ with Reversed Quantum Communication. 

letting the sender interact with an unbounded receiver. In an error-free model, 
it further holds that the sender cannot infer the basis in which the qubits are 
encoded and therefore does not learn any information about the receiver's choice 
bit. However, in a more realistic setting with multi-pulse emissions, this coding 
scheme with reversed communication is highly insecure, as a malicious sender 
can determine the encoding basis from a multi-pulse qubit. The same problem 
occurred for the Rabin OT-protocol QOT from the last chapter. 



Chapter 7 

Quantum Bit Commitment 



This chapter is about quantum Bit Commitment (BC) schemes. In BC, a 
committer C commits himself to a choice of a bit b £ {0, 1} by exchanging 
information with a verifier V. We want that V does not learn b (we say the 
commitment is hiding), yet C can later choose to reveal b in a convincing way, 
i.e., only the value fixed at commitment time will be accepted by V (we say the 
commitment is binding). 

In the next section, we present a BC scheme from a committer C with 
bounded quantum memory to an unbounded receiver V. The scheme is peculiar 
since in order to commit to a bit, the committer does not send anything. During 
the committing stage, information only goes from V to C. Therefore, there is no 
way for the verifier to get information about the committed bit, i.e. the scheme 
is perfectly hiding. 

In Section 17.31 we define two notions of the binding property and show our 
scheme secure against quantum-memory-bounded committer in both of these 
senses. Similar techniques as in the two previous chapters for the analysis of 
the oblivious-transfer protocols are used. 

The results in this chapter appeared in [DFSS051 lDFR + 07 . 

7.1 The Protocol 

The protocol is given in Figure 17.11 Intuitively, a commitment to a bit b is 
made by measuring random BB84-states in basis {+, x}rw. 

As for the oblivious-transfer protocols in the two previous chapters, we 
present an equivalent EPR-version of the protocol that is easier to analyze (see 
Figure El). 

Lemma 7.1 COMM is secure against dishonest committers C if and only if 

EPR-COMM is. 

Proof: The proof uses similar reasoning as the one for Lemma 15.31 First, it 
clearly makes no difference, if we change Step U] to the following: 

[U. V chooses the subset /, measures all qubits with index in / in basis 
{+i x }[£>] an d all qubits not in / in basis {+, x}m_m. V verifies that 
Xi = x\ for all i € I and accepts if and only if this is the case. 
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COMm(6): 

1. V picks x £r {0, l} n and 8 Er {+, x} n and sends cc, in the corre- 
sponding bases \x 1 ) di ,\x 2 ) e2 , ■ ■ . , \x n )e n to c - 

2. C commits to the bit b by measuring all qubits in basis {+, x}™. Let 
x' E {0, l} n be the result. 

3. To open the commitment, C sends b and x' to V. 

4. V verifies that Xi = x\ for those i where #i = {+, x}[&]. V accepts if 
and only if this is the case. 



Figure 7.1: Protocol for quantum bit commitment 



EPR- 


COMM(6): 




1. 


V prepares n EPR pairs each in state |fi) = 4g(|00) + 11)). 
one half of each pair to C and keeps the other halves. 


V sends 


2. 


C commits to the bit b by measuring all received qubits 
{+, X }[ 6 ]. Let x' E {0, l} n be the result. 


in basis 


3. 


To open the commitment, C sends b and x 1 to V. 




4. 


V measures all his qubits in basis {+, x}rw and obtains x E {0, l} n . 
He chooses a random subset I C {1, . . . ,n}. V verifies that Xi = x\ 
for alH E / and accepts if and only if this is the case. 



Figure 7.2: Protocol for EPR-based quantum bit commitment 



Finally, we can observe that the view of C does not change if V would have done 
his choice of / and his measurement already in Step 1 . Doing the measurements 
at this point means that the qubits to be sent to C collapse to a state that is 
distributed identically to the state prepared in the original scheme. The EPR- 
version is therefore equivalent to the original commitment scheme from C's point 
of view. □ 

It is clear that EPR-COMM is hiding, i.e., that the commit phase reveals no 
information on the committed bit, since no information is transmitted to V at 
all. Hence we have 

Lemma 7.2 epr-COMM is perfectly hiding. 

7.2 Modeling Dishonest Committers 

A dishonest committer C with bounded memory of at most 771 qubits in epr- 
COMM can be modeled very similarly to the dishonest oblivious-transfer re- 
ceivers R from Section 15.31 and 16.31 C consists first of a circuit acting on all n 
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qubits received, then of a measurement of all but at most 771 qubits, and finally 
of a circuit that takes the following input: a bit b that C will attempt to open, 
the 771 qubits in memory, and some ancilla in a fixed state. The output is a 
string x' E {0, l} n to be sent to V at the opening stage. 

Definition 7.3 We define £ 7 to be the class of all committers {C n } n >o in 
COMM or epr-COMM that, at the start of the opening phase (i.e. at Step \&$, 
have a quantum memory of size at most jn qubits. 

7.3 Defining the Binding Property 

7.3.1 The "Standard" Binding Condition 

In the context of unconditionally secure quantum bit commitment, it is widely 
accepted that "the right way" of defining the binding property is to require that 
the probability of opening a commitment successfully to plus the probability 
of opening it successfully to 1 is essentially upper bounded by one, put forward 
by Dumais, Mayers, and Salvail [DMS00J. We call this notion weakly binding, 
as opposed to the new notion of strongly binding defined in the next section 
below. 

Definition 7.4 A (quantum) bit- commitment scheme is weakly binding against 
£ if for all {C„,} n >o € £, the probability Pb(n) that C n opens b G {0, 1} with suc- 
cess satisfies 

Po( n ) + Pi( n ) < 1 + negl(n). 

In the next Section \7A\ we show that epr-COMM is weakly binding against (£ 7 
for any 7 < |. 

Note that the binding condition given here in Definition 17.41 is weaker than 
the classical one, where one would require that a bit b exists such that Pb{n) is 
negligible. For a general quantum adversary though who can always commit to 
and 1 in superposition, this is a too strong requirement; thus, it is typically 
argued that Definition 17.41 is the best one can hope for. 

However, we argue now that this weaker notion is not really satisfactory, and 
we show that there exists a stronger notion, which still allows the committer to 
commit to a superposition and thus is not necessarily impossible to achieve in 
a quantum setting, but which is closer to the classical standard way of defining 
the binding property. 

7.3.2 A Stronger Binding Condition 

A shortcoming of Definition 17.41 is that committing bit by bit is not guaranteed 
to yield a secure string commitment — the argument that one is tempted to use 
requires independence of the p&'s between the different executions, which in 
general does not hold. 

We now argue that this notion is unnecessarily weak, at least in some cases, 
and in particular in the case of commitments in the bounded-quantum-storage 



7.4. Weak Binding of the Commitment Scheme 



89 



model where the dishonest committer is forced to do some partial measure- 
ment and where we assume honest parties to produce only classical output (by 
measuring their entire quantum state). Technically, this means that for any 
dishonest committer C, the joint state of the honest verifier and of C after the 
commit phase is a ccq-state P VZ q = Ylv z Pvz(v, z)\v)(v\ (g) \z)(z\ ® p v ~* , where 
the first register contains the verifier's (classical) output and the remaining 
two registers contain C's (partially classical) output. We propose the following 
definition. 

Definition 7.5 A commitment scheme in the bounded- quantum- storage model 
is called e-binding, if for every (dishonest) committer C, inducing a joint state 
Pvzt a ft er the commit phase, there exists a classical binary random variable 
D, given by its conditional distribution Pr>\vz> such that for 6 = and b = 
1 the state P vz ^ = Ylv Pvz\d( v i z \°)\ v )( v \ (g) I^X^I <8> p"^ z satisfies the following 
condition. When executing the opening phase on the state Py^, for any strategy 
of C, the honest verifier accepts an opening to 1 — b with probability at most e. 

It is easy to see that the binding property as defined here implies the above 
discussed weak version, namely pf, < Pd(6)+Pd(1 — 6)e and thus po+pi < 1+e. 
Furthermore, it is straightforward to see that this stronger notion allows for a 
formal proof of the obvious reduction of a string to a bit commitment by com- 
mitting bit-wise: the i-th execution of the bit commitment scheme guarantees 
a random variable Di, defined by Po^ViZi such that the committer cannot open 
the i-th bit commitment to 1 — Di, and thus there exists a random variable S, 
namely S = (D 1 ,..., D m ) defined by PD^-D m \V v -V m Z = EL p Di\ViZ, such that 
for any opening strategy, the committer cannot open the list of commitments 
to any other string than S. 

In Section 17.51 we show that the bit commitment COMM from Figure 17.11 
as a matter of fact satisfies this stronger and more useful notion of security. 
This turns out to be a rather straightforward consequence of the security of the 
1-2 OT scheme from Chapter [6l 

7.4 Weak Binding of the Commitment Scheme 

In this section, we use the techniques from the analysis of the Rabin OT pro- 
tocol from Chapter [5] to prove our commitment scheme COMM (or rather its 
purified version EPR-COMM) weakly binding against quantum-memory-bounded 
adversarial committers. 

Note that the first two steps of epr-qot (from Figure I5~2j) and epr-COMM 
(i.e. before the memory bound applies) are exactly the same! This allows us to 
reuse Corollary 14.171 and the analysis of Section 15.41 to prove the weakly binding 
property of epr-COMM. 

Theorem 7.6 For any 7 < i, COMM is perfectly hiding and weakly binding 
against £ 7 . 

The proof is given below. It boils down to showing that essentially po(n) < 
1 — q + and p\ (n) < 1 — q x . The weak binding property then follows immediately 
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from Corollary 14.171 The intuition behind po(n) < 1 — q + = 1 — Q + (S + ) is that 
a committer has only a fair chance in opening to if x measured in the +-basis 
has large probability, i.e., x S + . The following proof makes this intuition 
precise by choosing the e and <5's correctly. 

Proof: It remains to show that EPR-COMM is binding against <£ 7 . Let e, 5 > 
be such that ~f+2h(5) + 2e < 1/2, where h is the binary entropy function. Recall 
that the number B 5n of n-bit strings of Hamming-distance at most 5n from a 
fixed string is at most 2 h ^' n . Let R be the basis, determined by the bit that C 
claims in Step O and in which V measures the quantum state in Step 2J and let 
X be the outcome. Corollary 14.171 implies the existence of an event £ such that 
P[£\R = +]+P[£\R=x] > l-negl{n) and R 0O (X\R=r,£) > (j+2h(d) + 2e)n. 
Applying Corollary 12.261 (with constant U and e = 0), it follows that any guess 
X for X satisfies 

P[X G B Sn (X) | R = r,£] < 2-|( H -( x l Xe5+ )-^- 1 )+ lo s( Bin ) < 2 - £n +i 

However, if X g" B <5n (X) then sampling a random subset of the positions will 
detect an error except with probability at most 2 _<5n . Hence, writing q + : = 
P[S\R = +] and q x := P[£\R=x], 

Po(n) < (1 - Q + ) + Q + ■ (2- £n+ ^ + 2- 5n ) < 1 - q + + negl(n) 
and analogously pi(n) < 1 — q x + negl(n). We conclude that 

Po(?"0 < 2 — q + — q x + negl(n) < 1 + negl(n) . 

□ 

7.5 Strong Binding of the Commitment Scheme 

In this section, we reuse the analysis of the 1-2 OT-protocol from Chapter [6] to 
prove the strong binding condition. 

Theorem 7.7 The quantum bit- commitment scheme COMM is e-binding ac- 
cording to Definition \7.5\ against (£ 7 for a negligible (in n) e if 7 < \. 

Intuitively, one can argue that X has (smooth) min-entropy about n/2 given 
0. The Min-Entropy Splitting Lemma implies that there exists D such that 
X\—d has smooth min-entropy about n/4 given O and D. Privacy amplification 
implies that F(X\—d) is close to random given B, D, F and C's quantum register 
of size 771, where F is a two-universal one-bit-output hash function, which in 
particular implies that C cannot guess Xi_e>. The formal proof is given below. 

Proof: It remains to show that EPR-COMM is strongly binding against £ 7 . Let 
G {+, x} n be the random basis that would correspond to the choice of basis 
in the first step of COMM, i.e. 9{ = {+, x}™ for i £ I and 0{ = {+, x}^_6] for 
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i £ I. Let X be the measurement outcome when V measures his halves of the 
EPR-pairs in basis 0. 

Recall that h(-) denotes the binary Shannon entropy. Choose X,X',k and 
5 all positive, but small enough such that 7 < 1/4 — A — A' — 2h(5) — 2k, 
h{5) < X' — k, and h(S) < ^ — k. Before Step El the overall state is given 
by the ccq-state Pxqc ^fter C has measured all but 'yn of his qubits, where 
X describes the outcome of the verifier V measuring his part of the state in 
random basis 0. From the uncertainty relation (Corollary I4.23p . we know that 

A 4 

H^(A I 0) > (1/2 — 2A)n for e = 2~32 n exponentially small in n. Therefore, 
by Corollary 12.161 there exists a binary random variable D £ {0,1} such that 
for e' = 2~ x ' n , it holds that 

\Xx- D I QD) > (1/4 - A - X')n - 1 

> (1/4 - A - X')n - 1 

> 'yn + 2h(5)n + 2nn - 1 . 

Recall that B 5n < 2 h ^ n . Applying Corollary EM it follows that any guess 
X for X\_£) satisfies 

P[X G B 5n {X^ D )} < 2-^(H5 +£ '(^- D |eD)- 7 n-l)+log(B^) + (2£ + 2£ / )B 5n 
^ 2 _ \(2kti— 2) , 2 . 2~ ^2'n>-hh(8)n , 2 . \' n-\-h(&)n 

< I 2 - K ™ + 2 • 2~ Kn + 2 • 2~ Kn , 
- 2 

which is negligible by the choice of the parameters. □ 



7.6 Weakening the Assumptions 

As argued earlier, assuming that a party can produce single qubits (with prob- 
ability 1) is not reasonable given current technology. Also the assumption that 
there is no noise on the quantum channel is impractical. It can be shown that a 
straightforward modification of COMM remains secure in the (4>, r/)-weak quan- 
tum model as introduced in Section 15.61 (see also Section I9.1.ip , with <p < \ and 
r] < 1 — 4>. 

The protocol COMM' in Figure 17.31 is the same as COMM from Figure 17.11 
except that in the last Step [U V accepts if and only if Xi = x\ for all but 
about a (fi-fraction of the i where ri = {+, x}ry. More precisely, for all but a 
((f) + effraction, where e > is sufficiently small. 

Theorem 7.8 In the (4>, rf) -weak quantum model, COMM 7 is perfectly hiding 
and it is weakly binding against £ 7 for any 7 satisfying 7 < |(1 — 77) — 2h(4>). 

Proof Sketch: Using Chernoff's inequality (Lemma 12 . 5[> . one can argue that 
for honest C and V, the opening of a commitment is accepted except with 
negligible probability. The hiding property holds using the same reasoning 
as in Lemma 17.21 And the binding property can be argued essentially along 
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COMM'(6, 4>): 

1. V picks x £r {0, l} n and 8 Er {+, x} n and sends cc, in the corre- 
sponding bases |x 2 ) 92 , • • • , \x n )e n to c - 

2. C commits to the bit b by measuring all qubits in basis {+, x}™. Let 
x' £ {0, l} n be the result. 

3. To open the commitment, C sends b and x' to V. 

4. V verifies that Xi = x[ for i where 0i = {+, x}ry. V accepts if and 
only if this is the case for all but a (^-fraction of these positions. 



Figure 7.3: Protocol for noise-tolerant quantum bit commitment 



the lines of Theorem 17.61 with the following modifications. Let J denote the 
set of indices i where V succeeds in sending a single qubit. We restrict the 
analysis to those i's which are in J. By Chernoff's inequality (Lemma I2.5p . 
the cardinality of J is about (1 — rj)n (meaning within (1 — rj db e)n), except 
with negligible probability. Thus, restricting to these i's has the same effect as 
replacing 7 by 7/(1 — rj) (neglecting the d=e to simplify notation). Assuming 
that C knows every Xi for i J, for all x^s with i £ J, he has to be able to 
guess all but about a (f>/(l — "^-fraction correctly, in order to be successful in 
the opening. Using Corollary 12.261 we can show that for a correctly chosen 
S > 0, the probability of guessing X within Hamming distance 5n to the real 
X is negligible. Therefore, C succeeds with only negligible probability if the 
fraction of allowed errors 0/(1 — rf) is smaller than 5, i.e. 

<P/(1- V )<5, 

Additionally, in order for the machinery from Theorem 17.61 to work, 5 must be 
such that 

5 can be chosen that way if 



1 — rj \ 1 — 77/ 2 

Using the fact that h(yp) < vh{p) for any v > 1 and < p < | such that 
up < 1, this is clearly satisfied if 7 + 2h(<p) < i(l — 77). □ 

Theorem 7.9 In the (eft, rj) -weak quantum model, COMM 7 is perfectly hiding 
and it is strongly binding against £ 7 for any 7 satisfying 7 < 4(1 — 77) — 3h(<p) — 
i/32hjfi). 



Proof Sketch: The proof goes like the proof of Theorem 17.81 but uses the 
techniques from Section 17.51 In order for those to work, we need to choose 
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A, A', and 5 all positive and such that 

1 — 7] 

7 



+ 2h{5) + A' + A < 1/4. 



1 ~V (7.1) 

h(8) < A' , 



We verify that the assumption 7 < 4(1 — 77) — 3h(<f) — y32 /i((/>) on 7 allows 
for that. Rearranging the terms and using that x < tfx for < x < 1 yields 



7 +3 m + . 32 m < 1/4 . 



1 — 77 1 — 77 y l — 77 

Using as in the previous proof the fact that h(vp) < vh{p) for any v > 1 and 
< p < i such that 1-75 < 1, we get that 



+ 3/i ( — ^— ) + (/ 32 h I ) < 1/4. 



1 — 77 \ 1 — 77/ y \ 1 — 77 

That allows to choose 5 > such that 



7 



1-7? 



+ 2h{5) + h(6) + ^32 h(5) < 1/4, 



and therefore, also A and A' can be chosen such that the conditions (|7.1f) are 
fulfilled. □ 



Chapter 8 



QKD Secure Against 

Quantum-Memory-Bounded 

Eavesdroppers 



In this chapter, we present another application for the uncertainty relation 
derived in Section |4"31 This illustrates that these relations are useful in scenarios 
beyond the simple two-party setting. 

In Quantum Key Distribution (QKD), two honest players Alice and Bob 
want to agree on a secure key, using only completely insecure quantum and au- 
thentic classical communication. The computationally unbounded eavesdropper 
Eve should not get any information about the key. A major difficulty when im- 
plementing QKD schemes is that they require a low-noise quantum channel. 
The tolerated noise level depends on the actual protocol and on the desired se- 
curity of the key. Because the quality of the channel typically decreases with its 
length, the maximum tolerated noise level is an important parameter limiting 
the maximum distance between Alice and Bob. 

We consider a model in which the adversary has a limited amount of quan- 
tum memory to store the information she intercepts during the protocol execu- 
tion. In this model, we show that the maximum tolerated noise level is larger 
than in the standard scenario where the adversary has unlimited resources. 

For simplicity, we restrict ourselves to one-way QKD protocols which are 
protocols where error-correction is performed non-interactively, i.e., a single 
classical message is sent from one party to the other. 



The results in this chapter appeared in DFR + 07 



8.1 Derivation of the Maximum Tolerated Noise Level 

Let S be a set of orthonormal bases of a d-dimensional Hilbert space Tid- For 
each basis i? S S, we assume that the d basis vectors are parametrized by the 
elements of the fixed set X of size \X\ = d. We then consider QKD protocols 
consisting of the steps described in Figure 18.11 

Note that the quantum channel is only used in the preparation step. Af- 
terwards, the communication between Alice and Bob is only classical (over an 
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One- Way QKD: let N G N be arbitrary 

1. Preparation: For i = 1 . . .N, Alice chooses at random a basis $i £ S 
and a random element Xi £ X . She encodes Xi into the state of 
a quantum system according to the basis i?j and sends this system 
to Bob. Bob measures each of the states he receives according to 
a randomly chosen basis and stores the outcome Yi £ X of this 
measurement. 

2. Sifting: Alice and Bob publicly announce their choices of bases and 
keep their data at position i only if i9j = i?^. In the following, we 
denote by X and Y the concatenation of the remaining data Xi and 
Yi, respectively. X and Y are sometimes called the sifted raw key. 

3. Error correction: Alice computes some error correction information 
C depending on X and sends C to Bob. Bob computes a guess X 
for Alice's string X, using C and Y . 

4. Privacy amplification: Alice chooses at random a function / from a 
two- universal family of hash functions and announces / to Bob. Alice 
and Bob then compute the final key by applying / to their strings X 
and X, respectively. 



Figure 8.1: General form for one-way QKD protocols. 

authentic channel). 

As shown in [Ren05, Lemma 6.4.1], the length I of the secret key that can 
be generated by the protocol described above is given by 1 

^ ~ H min (px_B | E) - H (C) , 

where the cq-state pxE is the state of the quantum system with the property 
that E contains all the information Eve has gained during the preparation step 
of the protocol and where Ho(C) is the number of error correction bits sent from 
Alice to Bob. Note that this formula can be seen as a generalization of the well- 
known expression by Csiszar and Korner for classical key agreement [CK78J. 

Let us now assume that Eve's system E can be decomposed into a classical 
part U and a purely quantum part E 1 . Then, by the same derivation as in the 
proof of Corollary 12.25} we find 

I « B £ mhl (pxuE> I UE') - H (C) > H4(A | U) - B nmx (p E ,) - H (C) . 

As, during the preparation step, Eve does not know the encoding bases which 
are chosen at random from the set S, we can apply our uncertainty relation 
(Theorem I4.22|) to get a lower bound for the min-entropy of X conditioned on 

x The approximation in this and the following equations holds up to some small additive 
value which depends logarithmically on the desired security e of the final key. 
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Eve's classical information 0, i.e., 

H^(X | 6) > Mh, 

where M denotes the length of the sifted raw key X and h is the average entropic 
uncertainty bound for S. [write much more!] Let q be the bound on the size of 
Eve's quantum memory H max (pE') < Q- Moreover, let e be the average amount 
of error correction information that Alice has to send to Bob per symbol of the 
sifted raw key X. Then 

e>M(h-e)-q . 

Hence, if the memory bound only grows sublinearly in the length M of the 
sifted raw key, then the key rate, i.e., the number of key bits generated per bit 
of the sifted raw key, is lower bounded by 

rate > h — e . 

8.2 The Binary- Channel Setting 

For a binary channel (with a two-dimensional Hilbert space H.2), the aver- 
age amount of error correction information e is given by the binary Shannon 
entropy 2 h(p), where p is the bit-flip probability (for classical bits encoded ac- 
cording to some orthonormal basis as described above). The achievable key 
rate of a QKD protocol using a binary quantum channel is thus given by 

rate b inary > h - h(p) . 
Summing up, we have derived the following theorem. 

Theorem 8.1 Let S be a set of orthonormal bases ofH.2 with average entropic 
uncertainty bound h. Then, a one-way QKD protocol as in Figure [<Q1 produces 
a secure key against eavesdroppers whose quantum-memory size is sublinear in 
the length of the raw key (i.e., sublinear in the number of qubits sent from Alice 
to Bob) at a positive rate as long as the bit-flip probability p fulfills 

h(p) < h . (8.1) 

For the BB84 protocol |BB84j . we have h = \ (cf. Inequality (02D). In- 
equality (|8.ip is thus satisfied as long as p < 11%. This bound coincides with 
the known bound for one-way QKD in the standard model (with an unbounded 
eavesdropper). So, using our analysis here, the memory-bound does not give 
an advantage. 

The situation is different for the six-state protocol where h = |. Ac- 
cording to (|8.ip . security against memory-bounded adversaries is guaranteed 
(i.e. h(p) < 3) as long as p < 17%. If one requires security against an 
unbounded adversary, the threshold for the same protocol lies below 13% as 

2 This value of e is only achieved if an optimal error-correction scheme is used. In practical 
implementations, the value of e might be slightly larger. 
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shown by Lo [LoOlj . and even the best known QKD protocol on binary chan- 
nels with one-way classical post-processing can only tolerate noise up to roughly 
14.1% [RGK05) . It has also been shown that, in the unbounded model, no such 
protocol can tolerate an error rate of more than 16.3%. 

The performance of QKD protocols against quantum-memory bounded eaves- 
droppers can be improved further by making the choice of the encoding bases 
more random. For example, they might be chosen from the set of all pos- 
sible orthonormal bases on a two-dimensional Hilbert space. As shown in 
Section 14.5.31 the overall average entropic uncertainty bound is then given by 
h 0.72 and (|8.1j) is satisfied if p ;$ 20%. For an unbounded adversary, the 
thresholds are the same as for the six-state protocol (i.e., 14.1% for the best 
known one-way protocol). 

8.3 Possible Extensions 

It is an interesting open problem to consider protocols using higher-dimensional 
quantum systems. The results described in Section 14.5.31 show that for high- 
dimensional systems, the average entropic uncertainty bound converges to its 
theoretical maximum. The maximal tolerated channel noise might thus be 
higher for such protocols (depending on the noise model for higher-dimensional 
quantum channels). 

Another interesting problem is to derive completely one-way quantum-key- 
distribution schemes, i.e. to eliminate the interactive sifting phase from the 
protocol in Figure 18.11 The idea is to let the honest parties use a pre-shared 
secret key to determine the bases of the encoding. If a key of size linear in the 
number of qubits is used, the scheme has to guarantee that a big portion of the 
key can be reused several times in order to yield a reasonable amount of fresh 
key. Quantifying the amount of information an eavesdropper can learn about 
the pre-shared key by interfering in the preparation step and eavesdropping on 
the following classical communication is an open problem. 

Another approach consists of expanding a pre-shared key of size only log- 
arithmic in the number of qubits into a pseudo-random linear-size key to de- 
termine the bases of the encoding. It is an open question how to extend our 
uncertainty relation from Section 14.51 to the case of only pseudo-random bases. 



Chapter 9 

Conclusion 



9.1 Towards Practice 

In the following two sections, we elaborate on the question how close to practice 
our systems are. First, we argue that imperfections occurring in practice like 
dark counts and empty pulses are covered by our (</>, ry)-weak quantum model 
used in Sections 15.61 16.4.21 and 17.61 Second, we sketch how our techniques can 
be extended to the more realistic setting of noisy quantum memory. 

9.1.1 More Imperfections 

A natural approach for implementing two-party protocols like BB84-QOT, Rand 
1-2 QOT , and COMM is to use the polarization of photons governed by the laws 
of quantum optics. Such systems are nowadays at the stage where they can be 
built in a optical physics lab. Besides the already modeled bit errors and multi- 
pulse emissions, more imperfections of the physical apparatus such as empty 
pulses and dark counts need to be taken into account. 

The players have synchronized clocks and in every predefined time slot, the 
sender is supposed to send out a single qubit. In practice, weak coherent pulses 
are used to approximate single-photon sources by producing in average only a 
small fraction of one qubit per pulse. This means that most of the pulses are 
empty, but on the other hand, there is also a small probability for a multi-qubit 
pulse. The receiver reports to the sender in which time slots he received pulses. 

Empty pulses also occur when the quantum channel lets a transmitted qubit 
escape or when it is absorbed. It is realistic that a good estimate on the rate 
at which empty pulses are produced (when no adversary is present) is known, 
e.g., from the hardware specifications and by measuring and calibrating the 
experimental setup. In this case, the adversary can only take advantage of 
empty pulses caused by absorption in the fiber. The best the adversary can 
do is to substitute the fiber for one that preserves all qubits sent and to report 
empty pulses when a single pulse has been received. The effect is to increase the 
rate at which multi-qubit pulses occur. This attack is known as Photon- Number- 
Splitting attack as first noted by Huttner, Imoto, Gisin, and Mor [HIGM95J and 
for instance explained in [BLMSOOa, BLMSOOb] in the setting of quantum key 
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distribution. It follows that empty pulses can also be included in the ((f), r/)-weak 
quantum model by an appropriate adjustment of parameter rj. 

Furthermore, thermal fluctuation in the detector hardware might result in 
detection even though no qubit was received. This is called a dark count. In this 
time slot, the receiver will report the reception of a qubit and as the outcome 
is random, it agrees with the actual bit sent with probability ^. 

Formally, assume that a practical implementation of BB84-QOT, Rand 1-2 
QOT^, or COMM takes place in a setting where c/> x is the probability for a bit 
error caused by the channel, c/> DC is the probability for a dark count in a specific 
time slot, r] MC) is the probability for a multi-qubit transmission in a non-empty 
pulse, and rj AB is the probability for an empty pulse caused by absorption of a 
non-empty pulse. In these terms, dark counts contribute to the bit-error 
rate </> x . If the adversary is able to get perfect transmission, she can suppress 
single-qubit pulses up to a rate of r] AB , thereby increasing the rate r] MQ of multi- 
photon pulses by 1 _^ AB • It follows that if BB84-QOT, COMM, and Rand 1-2 

QOT^ are secure in the (</> x + ^p, 1 ^^ B )-weak quantum model, then their 
implementation is also secure, provided it is accurately modeled by these four 
parameters. 

Likewise, a variety of imperfections specific to particular implementations 
may be adapted to the weak quantum model. 

9.1.2 Generalizing the Memory Model 

The bounded-quantum-storage model limits the number of physical qubits the 
adversary's memory can contain. A more realistic model would rather address 
the noise process the adversary's memory undergoes. For instance, it is not 
hard to build a very large, but unreliable memory device containing a large 
number of qubits. It is reasonable to expect that our protocols remain secure 
also in a scenario where the adversary's memory is of arbitrary size, but where 
some quantum operation (modeling noise) applies to it. If we do not substitute 
Hmax(AE) with the number of qubits q in Term (12. 6p in the privacy- amplification 
Section \2.5\ then our constructions can cope with slightly more general memory 
models. In particular, all our protocols that are secure against adversaries with 
memory of no more than jn qubits are also secure against any noise model that 
reduces the rank H max (/3£;) of the mixed state pe held by the adversary to at 
most 2 7n . 

An example of a noise process resulting in a reduction of H max (/9£;) is an 
erasure channel. Assuming the n initial qubits are each erased with probability 
larger than 1— 7 when the memory bound applies, it holds except with negligible 
probability in n that H max (p£;) < jn. The same applies if the noise process is 
modeled by a depolarizing channel with error probability p = 1 — 7- Such a 
depolarizing channel replaces each qubit by a random one with probability p 
and does nothing with probability 1 — p. 

The technique we have developed does not allow to deal with depolarizing 
channels with p < 1 — 7 although one would expect that some < p < 1 — 7 
should be sufficient to ensure security against such adversaries. The reason 
being that not knowing the positions where the errors occurred should make 
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it more difficult for the adversary than when the noise process is modeled by 
an erasure channel. However, it seems that our uncertainty relations are not 
strong enough to address this case. Generalizing the bounded-quantum-storage 
model to more realistic noisy-memory models is an interesting open question. 

9.2 Conclusion 

The bounded-quantum-storage model presented in this thesis is an attractive 
model, in both the theoretical and practical sense. On the theoretical side, it 
allows for very simple protocols implementing basic two-party primitives such 
as oblivious transfer and bit commitment. New high-order entropic uncertainty 
relations have been established in order to show the security with the help 
of techniques such as purification and privacy amplification by two-universal 
hashing. These uncertainty relations can also be applied in different settings 
like quantum key distribution. 

On the practical side, the protocols do not require any quantum memory for 
honest players and remain secure provided the adversary has a quantum mem- 
ory of size bounded by a constant fraction of all transmitted qubits. Such a gap 
between the amount of storage required for honest players and adversaries is not 
achievable by classical means. The protocols can be adapted to tolerate various 
kinds of errors and in fact, they can be implemented with today's technology. 
A collaboration of people from the computer science and physics departments 
of the University of Aarhus is currently working on the implementation of these 
protocols 1 . 

In summary, one can say that the bounded-quantum-storage model has 
passed its first tests by proving its power (the possibility of oblivious trans- 
fer) and by inspiring beautiful theoretical results (quantum uncertainty rela- 
tions). It is a good sign that the protocols for the basic primitives are simple 
in structure. In principle, enough instances of these protocols could be used to 
implement more involved cryptographic tasks like secure identification, which 
reduces essentially to securely checking whether two inputs are equal (without 
revealing more than this mere bit of information). However, it is a natural 
next step to find more efficient, direct protocols for those tasks, secure in the 
bounded-quantum-storage model. Such a direct approach gives a better ratio 
between storage-bound and communication-complexity and is the topic of a 
recent paper [DFSS07j . 

A major open problem is the optimality of the bounds on the adversary's 
quantum memory. The bit-commitment protocol COMM for instance appears 
to be secure against any adversary with memory less than n qubits, but our 
analysis requires the memory to be smaller than n/2 (or n/4 for strong binding). 
Also, finding protocols secure against adversaries in more general noisy-memory 
models, as discussed in the last Section 19.1.21 would certainly be a natural 
and interesting extension of this work to more practical settings [DSTW07] . 
Furthermore, there is still a lack of simple and intuitive security definitions for 

1 See http://www.brics.dk/~salvail/qusep.html for further information on the QUSEP 
project. 
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primitives like 1-2 OT etc. with rigorous composability results (like universal 
composability) in the quantum setting. Very recent results in this direction 
have been established in [WW07]. 



Notation 



General 


log 


binary logarithm 


In 


natural logarithm 


N 


natural numbers: 1, 2, 3, . . . 


R 


real numbers 


[a,b] 


set of real numbers r such that a < r < b 


(a, 6] 


set of real numbers r such that a < r < b 


x\i 


substring of x consisting of bit positions in index set / 


x\° 


as above, padded with Os 


B 5n (x) 


set of n-bit strings with Hamming distance at most 8n from x negl(n) 


negl(n) 


any function in n smaller than the inverse of any polynomial 




for large enough n 


[+, x]b 


+ for b = and x for b = 1 




Kronecker delta 


Classical Information Theory 


P X \Y 


conditional probability distribution of X given Y 


E[R] 


expected value of the real random variable R 


S(P,Q) 


variational distance between distributions P and Q 


P~eQ 


P and Q are at variational distance at most e 


UNIF 


independent and uniformly distributed binary random variable 


UNIF^ 


I copies of it 


£ 


event 


If 


indicator random variable of event £ 




Markov chain 


Quantum Information Theory 




Hilbert space of dimension d 


V(H) 


set of density operators on TC 


P 


density operator: normalized, Hermitian, non-negative 


tr(p) 


trace of p 


1 


fully mixed state 


5(p,a) 


trace distance between p and a 


\b)e 


classical bit b encoded in basis 


PXE 


cq-state 
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Entropies 


h{-) 


binary Shannon entropy function 


TtJXVY) 


ct-order sum of X given Y with joint distribution Pxy 


RJX\Y) 


Renyi entropy of order a of X given Y 


LXJ V| / 


min-entropv of X given Y 


B.o(X\Y) 

- V I / 


collision entropy of X given Y 


U(X\Y) 


Shannon entropy of X given Y 


H {X\Y) 


max-entropy of X given Y 


R a (X\Y) 

Lx V I / 


average conditional Renyi entropy of order a 


HI Of \Y) 

Q V I ) 


e-smooth Renyi entropy of order a of X given Y 


R £ ^(X\Y) 

CO V I / 


e-smooth min-entropy of X given Y 


R £ n (X\Y) 


e-smooth max-entropy of X given Y 


H«(p) 


Renyi entropy of order a of the state p 


H m i n (/5AB 0\b) 


min-entropy of pab relative to gb 


H m in(/9AB l-B) 


min-entropy of pab given TCb 


H min(PABks) 


e-smooth min-entropy of pab relative to ob 




e-smooth min-entropy of pab given TLb 
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